PT-2026-36756 · Shandong Hoteam · Pdm Product Data Management System

Red88-Debug

Published

2026-05-04

Updated

2026-05-24

CVE-2026-7727

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Shandong Hoteam Software PDM Product Data Management System versions prior to 8.3.10

Description A remote SQL injection can be initiated through the manipulation of the SortOrder argument. This issue affects the GetQueryMachineGridOnePageData() function within the '/Base/BaseService.asmx/DataService' endpoint.

Recommendations Upgrade to version 8.3.10. As a temporary workaround, restrict access to the '/Base/BaseService.asmx/DataService' endpoint or avoid using the SortOrder argument until the update is applied.

Exploit

Fix

Special Elements Injection

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-89

Related Identifiers

CVE-2026-7727

Affected Products

Pdm Product Data Management System

PT-2026-36756 · Shandong Hoteam · Pdm Product Data Management System

CVE-2026-7727

Weakness Enumeration

Related Identifiers

Affected Products

References · 9