CVE-2026-10771
7.3 HIGHA vulnerability was found in crmeb crmeb_java 1.4
Published: 2026-06-03 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 7.3 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-918
Description
A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-10771
- [Other]https://github.com/crmeb/crmeb_java/
- [Other]https://github.com/crmeb/crmeb_java/issues/35
- [Other]https://vuldb.com/cve/CVE-2026-10771
- [Other]https://vuldb.com/submit/831421
- [Other]https://vuldb.com/vuln/368137
- [Other]https://vuldb.com/vuln/368137/cti
Related CVEs
Same CWE
- CVE-2026-53812 — OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypa... (7.7 HIGH)
- CVE-2026-53782 — Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to dire... (7.4 HIGH)
- CVE-2026-47170 — Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface (7.7 HIGH)
- CVE-2026-47157 — aiograpi is an asynchronous Instagram API for Python (6.5 MEDIUM)
- CVE-2026-46698 — Fediverse Embeds embeds fediverse posts on WordPress sites (5.3 MEDIUM)