Skip to main content

jshERP CVE-2026-11469

| EUVDEUVD-2026-35000 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-08 cna@vuldb.com GHSA-qm56-h2wg-g32x
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 00:26 vuln.today

DescriptionCVE.org

A flaw has been found in jishenghua jshERP up to 3.6. Impacted is the function insertPlatformConfig of the file jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java of the component platformConfig Add Endpoint. Executing a manipulation of the argument platformValue can lead to server-side request forgery. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery in jishenghua jshERP up to version 3.6 allows a remote, highly-privileged attacker to manipulate the 'platformValue' argument of the platformConfig Add Endpoint, causing the server to issue forged HTTP requests to internal or external targets. The CVSS 4.0 base score of 2.0 reflects the high privilege requirement (PR:H), but exploitation is simplified by low complexity and no user interaction. A publicly available exploit exists (E:P confirmed in CVSS vector), and the project maintainer has not responded to the responsible disclosure issue filed on GitHub.

Technical ContextAI

jshERP is an open-source Java ERP platform (jishenghua/jshERP on GitHub). The vulnerable code resides in jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java within the insertPlatformConfig function, which handles the platformConfig Add Endpoint. CWE-918 (Server-Side Request Forgery) indicates the application accepts a user-controlled URL or host value ('platformValue') and passes it to a server-side HTTP request without adequate validation or allowlisting. This allows the server to be weaponized as a proxy to reach internal network resources, cloud metadata endpoints (e.g., 169.254.169.254), or to perform port scanning. The Java tag confirms the backend runtime; no CPE strings were provided, so affected versions are derived solely from the NVD description stating 'up to 3.6'.

RemediationAI

No vendor-released patch has been identified at time of analysis - the project maintainer did not respond to the responsible disclosure filed at https://github.com/jishenghua/jshERP/issues/155. As a compensating control, administrators should implement a strict server-side URL allowlist or blocklist for values accepted by the platformConfig Add Endpoint, preventing requests to RFC 1918 address space, loopback addresses, and cloud metadata endpoints such as 169.254.169.254. Restricting access to the platformConfig Add Endpoint to only trusted administrator IP ranges via network-layer controls (firewall, reverse proxy ACL) reduces exposure, though this has the trade-off of limiting remote admin usability. Deploying jshERP behind a network segment that blocks outbound HTTP from the ERP host to internal services limits the blast radius of SSRF exploitation. Organizations should monitor the upstream issue at https://github.com/jishenghua/jshERP/issues/155 for any maintainer patch response.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-11469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy