Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by this issue is the function service_url of the file JudgeServer.service_url of the component judge_server_heartbeat Endpoint. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery (SSRF) in QingdaoU OnlineJudge up to version 1.6.1 allows authenticated remote attackers to perform arbitrary HTTP requests via the judge_server_heartbeat endpoint's service_url parameter, enabling potential exfiltration of internal data, interaction with internal services, or lateral movement within the target network. The vendor has not responded to disclosure attempts, and no official patch has been released.
Technical ContextAI
The vulnerability resides in the JudgeServer.service_url component of the judge_server_heartbeat endpoint, which processes a service_url parameter without proper input validation or URL scheme restriction. This is a classic CWE-918 (Server-Side Request Forgery) vulnerability where user-supplied URLs are fetched server-side without sanitization. An authenticated user can manipulate the service_url parameter to point to internal IP addresses (127.0.0.1, 192.168.x.x), private cloud metadata endpoints (169.254.169.254), or other sensitive internal services, causing the OnlineJudge server to make requests on their behalf. The CPE cpe:2.3:a:qingdaou:onlinejudge:*:*:*:*:*:*:*:* indicates all versions up to and including 1.6.1 are affected.
RemediationAI
No vendor-released patch has been identified at time of analysis, and the vendor has not responded to early disclosure contact. Organizations operating QingdaoU OnlineJudge should: (1) restrict access to the judge_server_heartbeat endpoint to trusted internal networks only via network segmentation or WAF rules; (2) implement egress filtering on the OnlineJudge server to block outbound connections to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254); (3) apply URL scheme whitelisting (if any code review is feasible) to reject non-http/https protocols; (4) monitor authentication logs and requests to the heartbeat endpoint for suspicious service_url parameter values pointing to internal addresses; and (5) evaluate alternative online judge platforms with active security maintenance if prolonged unavailability of a patch becomes untenable. Monitor https://vuldb.com/vuln/355291 for future vendor updates.
More in Onlinejudge
View allSame weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19024
GHSA-fpw6-p57h-mv5q