CVE-2026-1050 MEDIUM

CVE-2026-1050: risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection

Vendor Risesoft-Y9

Product Digital-Infrastructure

Weakness CWE-89 · SQLi

Published January 17, 2026

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Key dates

Disclosure timeline

January 17, 2026 CVE published

February 26, 2026 Record updated

Identifiers

CVE CVE-2026-1050

CWE CWE-89

CVSS 6.9 / MEDIUM

Affected versions

Vendor Risesoft-Y9

Product Digital-Infrastructure

Affected 9.6.0

Vendor Risesoft-Y9

Product Digital-Infrastructure

Affected 9.6.1

Vendor Risesoft-Y9

Product Digital-Infrastructure

Affected 9.6.2

Vendor Risesoft-Y9

Product Digital-Infrastructure

Affected 9.6.3

Vendor Risesoft-Y9

Product Digital-Infrastructure

Affected 9.6.4

Vendor Risesoft-Y9

Product Digital-Infrastructure

Affected 9.6.5

Vendor Risesoft-Y9

Product Digital-Infrastructure

Affected 9.6.6

Vendor Risesoft-Y9

Product Digital-Infrastructure

Affected 9.6.7