{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3189", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-25T08:32:16.087Z", "datePublished": "2026-02-25T16:02:09.732Z", "dateUpdated": "2026-02-25T20:18:20.086Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-25T16:02:09.732Z"}, "title": "feiyuchuixue sz-boot-parent download server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "feiyuchuixue", "product": "sz-boot-parent", "versions": [{"version": "1.3.2-beta", "status": "affected"}, {"version": "1.3.3-beta", "status": "unaffected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: \"We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols.\""}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.1, "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-25T09:37:28.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "yuccun (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.347747", "name": "VDB-347747 | feiyuchuixue sz-boot-parent download server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.347747", "name": "VDB-347747 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.754042", "name": "Submit #754042 | feiyuchuixue https://github.com/feiyuchuixue/sz-boot-parent sz-boot-parent <= v1.3.2-beta Arbitrary_File_Read/SSRF", "tags": ["third-party-advisory"]}, {"url": "https://github.com/yuccun/CVE/blob/main/sz-boot-parent-SSRF_and_Arbitrary_File_Read.md", "tags": ["related"]}, {"url": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802", "tags": ["patch"]}, {"url": "https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta", "tags": ["patch"]}, {"url": "https://github.com/feiyuchuixue/sz-boot-parent/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T20:18:02.212087Z", "id": "CVE-2026-3189", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:18:20.086Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3189", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T20:18:02.212087Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:18:10.723Z"}}], "cna": {"tags": ["x_open-source"], "title": "feiyuchuixue sz-boot-parent download server-side request forgery", "credits": [{"lang": "en", "type": "reporter", "value": "yuccun (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.1, "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C"}}], "affected": [{"vendor": "feiyuchuixue", "product": "sz-boot-parent", "versions": [{"status": "affected", "version": "1.3.2-beta"}, {"status": "unaffected", "version": "1.3.3-beta"}]}], "timeline": [{"lang": "en", "time": "2026-02-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-25T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-25T09:37:28.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.347747", "name": "VDB-347747 | feiyuchuixue sz-boot-parent download server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.347747", "name": "VDB-347747 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.754042", "name": "Submit #754042 | feiyuchuixue https://github.com/feiyuchuixue/sz-boot-parent sz-boot-parent <= v1.3.2-beta Arbitrary_File_Read/SSRF", "tags": ["third-party-advisory"]}, {"url": "https://github.com/yuccun/CVE/blob/main/sz-boot-parent-SSRF_and_Arbitrary_File_Read.md", "tags": ["related"]}, {"url": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802", "tags": ["patch"]}, {"url": "https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta", "tags": ["patch"]}, {"url": "https://github.com/feiyuchuixue/sz-boot-parent/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: \"We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-25T16:02:09.732Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3189", "state": "PUBLISHED", "dateUpdated": "2026-02-25T20:18:20.086Z", "dateReserved": "2026-02-25T08:32:16.087Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-25T16:02:09.732Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: \"We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols.\""}, {"lang": "es", "value": "Se ha identificado una debilidad en feiyuchuixue sz-boot-parent hasta 1.3.2-beta. Esta vulnerabilidad afecta c\u00f3digo desconocido del archivo /API/admin/common/files/download. La ejecuci\u00f3n de una manipulaci\u00f3n del argumento url puede conducir a falsificaci\u00f3n de petici\u00f3n del lado del servidor. El ataque puede ejecutarse de forma remota. Los ataques de esta naturaleza son altamente complejos. Se afirma que la explotabilidad es dif\u00edcil. La actualizaci\u00f3n a la versi\u00f3n 1.3.3-beta es capaz de resolver este problema. Este parche se llama aefaabfd7527188bfba3c8c9eee17c316d094802. Se aconseja actualizar el componente afectado. El proyecto fue informado de antemano y actu\u00f3 de manera muy profesional: 'Hemos a\u00f1adido una validaci\u00f3n de lista blanca de protocolo URL a la interfaz de descarga de archivos, permitiendo solo los protocolos HTTP y HTTPS.'"}], "id": "CVE-2026-3189", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-25T17:25:42.470", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/feiyuchuixue/sz-boot-parent/"}, {"source": "cna@vuldb.com", "url": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802"}, {"source": "cna@vuldb.com", "url": "https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta"}, {"source": "cna@vuldb.com", "url": "https://github.com/yuccun/CVE/blob/main/sz-boot-parent-SSRF_and_Arbitrary_File_Read.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.347747"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.347747"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.754042"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.2-beta"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.3.3-beta"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "sz-boot-parent", "source": "cna", "vendor": "feiyuchuixue"}, "product": "sz-boot-parent", "vendor": "feiyuchuixue"}], "analysis": {"en": {"generated_at": "2026-04-17T15:10:22.341457+00:00", "value": {"mitigation_remediation": ["Upgrade sz\u2011boot\u2011parent to version 1.3.3\u2011beta or later, which includes a whitelist that permits only http and https protocols.", "If an immediate upgrade is not feasible, restrict the download endpoint by validating the url parameter so that only http and https schemes are accepted and all other protocols are rejected.", "Monitor the application\u2019s outbound HTTP traffic for unexpected requests as an early detection of potential SSRF exploitation."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The flaw exists in all releases of sz\u2011boot\u2011parent up to and including 1.3.2\u2011beta. The project has released version 1.3.3\u2011beta, which implements a protocol whitelist that allows only http and https URLs in the download interface. Users running any earlier version are susceptible.", "description_and_impact": "The vulnerability is a server\u2011side request forgery in feiyuchuixue\u2019s sz\u2011boot\u2011parent, triggered by manipulating the url argument to the /api/admin/common/files/download endpoint. A remote attacker can cause the application to send arbitrary HTTP requests to any target chosen by the attacker. The description notes that the exploit is highly complex and difficult, so the likelihood of successful exploitation in the wild is low. However, a successful SSRF could expose internal services or allow data exfiltration, and it is identified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 2.3 indicates a low severity rating, and the EPSS score of less than 1% combined with a non\u2011listed status in the KEV catalog suggests that widespread exploitation is unlikely. Because the attack vector is remote and the exploitation process is complex, the overall risk is moderate. Nonetheless, organizations should still address the issue promptly to eliminate the SSRF surface area."}}}}, "created": "2026-02-26T13:15:45.094122+00:00", "updated": "2026-04-17T15:15:21.855640+00:00", "vendors": ["feiyuchuixue", "feiyuchuixue$PRODUCT$sz-boot-parent"]}