CVE-2026-2621

7.3 HIGH

SQL Injection

📋 TL;DR

This SQL injection vulnerability in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0 allows remote attackers to execute arbitrary SQL commands via the PGUID parameter in /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx. Organizations using this specific energy management software are affected, particularly those with internet-facing installations.

💻 Affected Systems

Products:

• Sciyon Koyuan Thermoelectricity Heat Network Management System

Versions: Version 3.0

Operating Systems: Windows (assumed based on ASP.NET technology)

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx endpoint with PGUID parameter manipulation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized database access leading to sensitive information disclosure, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing exploitation attempts.

🌐 Internet-Facing: HIGH - Remote exploitation capability with public exploit details available makes internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available on GitHub, remote exploitation possible without authentication, making this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Contact vendor Sciyon for updates. Consider implementing workarounds or replacing the system.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting the PGUID parameter in the vulnerable endpoint.

Input Validation Filter

windows

Add server-side input validation to sanitize PGUID parameter before processing.

🧯 If You Can't Patch

• Network segmentation: Isolate the system from internet access and restrict internal access to authorized users only.
• Implement strict monitoring and alerting for SQL injection attempts targeting the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Copy

Test the endpoint /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx with SQL injection payloads in the PGUID parameter and observe database errors or unexpected responses.

Check Version:

Copy

Check system documentation or contact vendor to confirm version 3.0 is installed.

Verify Fix Applied:

Copy

Verify that SQL injection attempts no longer succeed and that input validation is properly implemented for the PGUID parameter.

📡 Detection & Monitoring

Log Indicators:

• Unusual SQL queries in application logs
• Multiple failed login attempts or parameter manipulation in web server logs
• Database error messages containing SQL syntax

Network Indicators:

• HTTP requests to /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx with SQL injection patterns in parameters
• Unusual database connection patterns from web server

SIEM Query:

Copy

source="web_server" AND uri="/SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx" AND (param="PGUID" AND value CONTAINS "' OR " OR "--" OR ";")

📊 Metadata

CVE ID: CVE-2026-2621

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: February 17, 2026

Last Updated: February 18, 2026

🔗 References

• https://github.com/red88-debug/CVEs/blob/main/Koyuan%20Thermoelectricity%20Heat%20Network%20Management%20System%20SQL%20Injection%20Vulnerability.md
• https://vuldb.com/?ctiid.346272
• https://vuldb.com/?id.346272
• https://vuldb.com/?submit.751809

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2621, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)

CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)

CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)