Is there a public PoC exploit available for EUVD-2026-38151?

Yes, a public proof-of-concept exploit is available for EUVD-2026-38151. Prioritise patching immediately.

ADP Application Developer Platform EUVD-2026-38151

Q: What is the CVSS score of EUVD-2026-38151?

EUVD-2026-38151 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

| CVE-2026-12787 LOW

Deserialization of Untrusted Data (CWE-502)

2026-06-21 VulDB

GHSA-wmfm-hrqf-22p6

Deserialization Adp Application Developer Platform

2.1

CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY

2.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

6.3 MEDIUM

Network endpoint requires low-privilege auth (PR:L); no scope change confirmed; impact capped at Low (C/I/A:L) consistent with provided CVSS 4.0 assessment pending RCE confirmation.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 22, 2026 - 06:31 vuln.today

Severity Changed

Jun 21, 2026 - 09:22 NVD

MEDIUM LOW

CVSS changed

Jun 21, 2026 - 09:22 NVD

5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argument jdbcUrl results in deserialization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unsafe deserialization in zhilink ADP Application Developer Platform 1.0.0 exposes the testConnection endpoint to remote exploitation by low-privilege authenticated users via manipulation of the jdbcUrl parameter. A public exploit has been published (linked via Feishu document) despite vendor non-response to coordinated disclosure. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with low-privilege account

Delivery

Send crafted HTTP request to testConnection

Exploit

Inject malicious jdbcUrl payload

Execution

Trigger server-side deserialization

Impact

Achieve limited data access or code execution

Access

Authenticate with low-privilege account

Delivery

Send crafted HTTP request to testConnection

Exploit

Inject malicious jdbcUrl payload

Execution

Trigger server-side deserialization

Impact

Achieve limited data access or code execution

Vulnerability AssessmentAI

Exploitation	Exploitation requires a valid low-privilege authenticated session on the ADP Application Developer Platform - PR:L in the CVSS 4.0 vector confirms authentication is required, ruling out unauthenticated remote exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The provided CVSS 4.0 base score of 2.1 (VC:L/VI:L/VA:L) is notably low for a CWE-502 deserialization vulnerability, which commonly enables remote code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated low-privilege user - such as a developer with a standard platform account - sends a crafted HTTP request to the testConnection endpoint, supplying a malicious jdbcUrl value that, when deserialized server-side, triggers a gadget chain or unexpected object instantiation. A public proof-of-concept exists (Feishu-hosted document linked in CVE references), meaning the exploitation technique is documented and reproducible by attackers with basic Java deserialization knowledge. …
Remediation	No vendor-released patch identified at time of analysis - zhilink did not respond to coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12788 LOW Monitor POC

2.1 Jun 21

XML External Entity (XXE) injection in zhilink ADP Application Developer Platform 1.0.0 enables authenticated remote att

EUVD-2026-38151 vulnerability details – vuln.today

Back