EUVD-2026-38152
GHSA-x2fm-rmw7-73v2
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable import endpoint with no complexity barriers; PR:L because authentication is confirmed required; S:U as subsequent-system impact is assessed absent; C/I/A:L reflecting limited but real file-read and SSRF potential.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This vulnerability affects unknown code of the file /adpweb/a/base/barcodeDetail/import of the component XML Parser. This manipulation causes xml external entity reference. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
XML External Entity (XXE) injection in zhilink ADP Application Developer Platform 1.0.0 enables authenticated remote attackers to manipulate the XML parser at the /adpweb/a/base/barcodeDetail/import endpoint, potentially exposing local files or facilitating server-side request forgery against internal infrastructure. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege exploitation with a publicly disclosed proof-of-concept published on Feishu. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid low-privilege account on the ADP Application Developer Platform (CVSS PR:L) - unauthenticated exploitation is not indicated by the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.1 appears conservative given the publicly available exploit code (E:P threat modifier) and total absence of a vendor patch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege account on the ADP platform crafts an XML document containing an external entity declaration pointing to a local file (e.g., /etc/passwd or application configuration files) and submits it to the /adpweb/a/base/barcodeDetail/import endpoint. The unpatched XML parser resolves the external entity and returns its contents in the response or an error message, disclosing sensitive data. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the vendor did not respond to pre-disclosure contact. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today