EUVD-2026-16532
GHSA-pvrh-63rh-cj2q
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus bis 1.3.44. Affected is an unknown function of the file /RemoteFormat.do of the component Endpoint. Such manipulation of the argument State leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
SQL injection in Shenzhen Ruiming Technology Streamax Crocus bis version 1.3.44 allows unauthenticated remote attackers to execute arbitrary SQL commands via the State parameter in the /RemoteFormat.do endpoint. Publicly available exploit code exists, as documented in a Feishu document linked in VulDB disclosure 353661. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all systems running Streamax Crocus bis version 1.3.44 or earlier; determine network exposure and implement network-level access controls to restrict traffic to the /RemoteFormat.do endpoint. Within 7 days: Deploy WAF rules to block malicious SQL syntax in the State parameter; disable the RemoteFormat.do endpoint if operationally feasible; monitor application logs for SQL injection attempts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today