{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-9437","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2026-05-24T07:14:10.469Z","datePublished":"2026-05-25T07:15:09.410Z","dateUpdated":"2026-05-26T13:12:46.356Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2026-05-25T07:15:09.410Z"},"title":"DTStack Taier REST API Runtime.exec os command injection","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-78","lang":"en","description":"OS Command Injection"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-77","lang":"en","description":"Command Injection"}]}],"affected":[{"vendor":"DTStack","product":"Taier","versions":[{"version":"1.4.0","status":"affected"}],"cpes":["cpe:2.3:a:dtstack:taier:*:*:*:*:*:*:*:*"],"modules":["REST API"]}],"descriptions":[{"lang":"en","value":"A vulnerability has been found in DTStack Taier 1.4.0. This affects the function Runtime.exec of the component REST API. The manipulation of the argument sqlText leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}],"timeline":[{"time":"2026-05-24T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2026-05-24T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2026-05-24T09:19:14.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"fakebug (VulDB User)","type":"reporter"},{"lang":"en","value":"VulDB CNA Team","type":"coordinator"}],"references":[{"url":"https://vuldb.com/vuln/365418","name":"VDB-365418 | DTStack Taier REST API Runtime.exec os command injection","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/vuln/365418/cti","name":"VDB-365418 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/submit/813941","name":"Submit #813941 | DTStack Taier 1.4.0 Code Injection","tags":["third-party-advisory"]},{"url":"https://github.com/fakebug111/my_public_bug/blob/main/issus02.md","tags":["exploit"]}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-26T13:12:38.696025Z","id":"CVE-2026-9437","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-26T13:12:46.356Z"}}]}}