EUVD-2026-34182
GHSA-8qxw-gwxm-v526
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode endpoint's url parameter, causing the server to issue arbitrary outbound HTTP requests via Spring's RestTemplate.getForEntity. The affected component (RestTemplateUtil.java) passes attacker-controlled input directly to the HTTP client without URL validation or allowlisting, enabling internal network reconnaissance, cloud metadata service probing, and potential lateral movement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions required for initial access - the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N confirms the endpoint is remotely reachable with no authentication (PR:N), no user interaction (UI:N), and low attack complexity. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.5 (Medium) reflects AV:N/AC:L/AT:N/PR:N/UI:N with low confidentiality, integrity, and availability impacts and no scope change (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A public exploit exists, published as GitHub issue #35 against the crmeb_java repository. An unauthenticated attacker sends an HTTP request to the base64 Qrcode endpoint with the url parameter set to an internal target such as http://169.254.169.254/latest/meta-data/ (cloud IMDS) or an internal administrative API; the server's RestTemplate.getForEntity call fetches the resource and the response may be reflected back to the attacker or trigger observable side effects, revealing internal topology or credentials. |
| Remediation | No vendor-released patch has been identified at time of analysis - the maintainers have not responded to the responsible disclosure submitted via GitHub issue #35 (https://github.com/crmeb/crmeb_java/issues/35). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin
Share
External POC / Exploit Code
Leaving vuln.today