EUVD-2026-12271
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A security flaw has been discovered in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This affects the function uploadTestcaseZipUrl of the file business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
Server-side request forgery in Glowxq OJ's test case upload functionality (ProblemCaseController.java) allows unauthenticated remote attackers to make arbitrary network requests from the affected server. Public exploit code is available and the vulnerability remains unpatched, with the vendor unresponsive to disclosure attempts.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all instances of glowxq-oj in your environment and immediately restrict network access to the application. Within 7 days: Implement WAF rules to block malicious uploadTestcaseZipUrl requests, disable the affected upload feature if operationally feasible, and segment the application from sensitive internal systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today