Skip to main content

Shenzhen Ruiming Technology Streamax Crocus CVE-2026-4956

| EUVDEUVD-2026-16656 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-27 cna@vuldb.com
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Mar 27, 2026 - 15:22 euvd
EUVD-2026-16656
Analysis Generated
Mar 27, 2026 - 15:22 vuln.today
CVE Published
Mar 27, 2026 - 15:17 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter Handler. The manipulation of the argument State results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Streamax Crocus 1.3.44 parameter handler allows unauthenticated remote attackers to manipulate the State argument in /DevicePrint.do?Action=ReadTask endpoint, enabling database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notification and no patch is available.

Technical ContextAI

The vulnerability exists in the Parameter Handler component of Streamax Crocus 1.3.44, a video surveillance and device management platform by Shenzhen Ruiming Technology. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component-'Injection'), specifically SQL injection. The affected endpoint /DevicePrint.do?Action=ReadTask fails to properly sanitize or parameterize the State argument before passing it to SQL queries, allowing attackers to craft malicious SQL statements. This is a classic input validation failure where user-supplied data reaches the database layer without proper escaping or prepared statement use.

RemediationAI

No vendor-released patch is identified at time of analysis. Immediate actions: (1) Upgrade Streamax Crocus to a version newer than 1.3.44 if the vendor releases one; monitor vendor communication channels and VulDB for patch announcements. (2) As interim mitigation, restrict network access to the /DevicePrint.do endpoint via firewall or reverse proxy to trusted administrative networks only. (3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the State parameter (e.g., detection of single quotes, UNION keywords, or comment sequences). (4) Enable database activity monitoring and alerting on unusual SQL patterns from the Crocus application account. (5) Conduct database access reviews to ensure Crocus runs with minimum required privileges (no administrative database roles). References: VulDB entry at https://vuldb.com/?id.353833 and https://vuldb.com/?ctiid.353833.

Share

CVE-2026-4956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy