Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in jishenghua jshERP up to 3.6. Impacted is the function insertPlatformConfig of the file jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java of the component platformConfig Add Endpoint. Executing a manipulation of the argument platformValue can lead to server-side request forgery. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Server-side request forgery in jishenghua jshERP up to version 3.6 allows a remote, highly-privileged attacker to manipulate the 'platformValue' argument of the platformConfig Add Endpoint, causing the server to issue forged HTTP requests to internal or external targets. The CVSS 4.0 base score of 2.0 reflects the high privilege requirement (PR:H), but exploitation is simplified by low complexity and no user interaction. A publicly available exploit exists (E:P confirmed in CVSS vector), and the project maintainer has not responded to the responsible disclosure issue filed on GitHub.
Technical ContextAI
jshERP is an open-source Java ERP platform (jishenghua/jshERP on GitHub). The vulnerable code resides in jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java within the insertPlatformConfig function, which handles the platformConfig Add Endpoint. CWE-918 (Server-Side Request Forgery) indicates the application accepts a user-controlled URL or host value ('platformValue') and passes it to a server-side HTTP request without adequate validation or allowlisting. This allows the server to be weaponized as a proxy to reach internal network resources, cloud metadata endpoints (e.g., 169.254.169.254), or to perform port scanning. The Java tag confirms the backend runtime; no CPE strings were provided, so affected versions are derived solely from the NVD description stating 'up to 3.6'.
RemediationAI
No vendor-released patch has been identified at time of analysis - the project maintainer did not respond to the responsible disclosure filed at https://github.com/jishenghua/jshERP/issues/155. As a compensating control, administrators should implement a strict server-side URL allowlist or blocklist for values accepted by the platformConfig Add Endpoint, preventing requests to RFC 1918 address space, loopback addresses, and cloud metadata endpoints such as 169.254.169.254. Restricting access to the platformConfig Add Endpoint to only trusted administrator IP ranges via network-layer controls (firewall, reverse proxy ACL) reduces exposure, though this has the trade-off of limiting remote admin usability. Deploying jshERP behind a network segment that blocks outbound HTTP from the ERP host to internal services limits the blast radius of SSRF exploitation. Organizations should monitor the upstream issue at https://github.com/jishenghua/jshERP/issues/155 for any maintainer patch response.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35000
GHSA-qm56-h2wg-g32x