Skip to main content

Shenzhen Ruiming Technology Streamax Crocus EUVDEUVD-2026-16654

| CVE-2026-4955 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-27 cna@vuldb.com
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Mar 27, 2026 - 15:22 euvd
EUVD-2026-16654
Analysis Generated
Mar 27, 2026 - 15:22 vuln.today
CVE Published
Mar 27, 2026 - 15:17 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Streamax Crocus 1.3.44 contains a remote SQL injection vulnerability in the /OperateStatistic.do endpoint via the VehicleID parameter, allowing unauthenticated remote attackers to manipulate database queries and extract or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not responded to early disclosure notifications, leaving affected deployments without an official patch.

Technical ContextAI

The vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, 'Injection'), which reflects unsafe handling of user-supplied input in SQL query construction. Streamax Crocus is a vehicle telematics and fleet management platform developed by Shenzhen Ruiming Technology. The vulnerable endpoint /OperateStatistic.do accepts the VehicleID parameter without proper input validation or parameterized query mechanisms, allowing attackers to inject arbitrary SQL commands. The affected product version is 1.3.44, and the attack surface is the web application interface accessible over the network. No CPE string was provided in the available intelligence, but the product can be identified as Streamax Crocus by vendor and version.

RemediationAI

No vendor-released patch has been identified at the time of analysis, as the vendor did not respond to early disclosure notifications. Organizations running Streamax Crocus 1.3.44 should immediately implement network-level access controls to restrict connections to the /OperateStatistic.do endpoint to trusted administrative networks only, deploy a web application firewall (WAF) configured to detect and block SQL injection patterns in the VehicleID parameter, and conduct an urgent review of database logs for indicators of successful exploitation. Contact Shenzhen Ruiming Technology to request an emergency patched version or migration path. Consider isolation of affected systems from direct internet exposure and implementation of database-level query restrictions and activity monitoring until a vendor patch becomes available. References for additional context are available at https://vuldb.com/?id.353143 and https://vuldb.com/?submit.776083.

Share

EUVD-2026-16654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy