VYPR
← All advisories
Medium severity4.7NVD Advisory· Published Jun 8, 2026

CVE-2026-11469

CVE-2026-11469

Description

Server-Side Request Forgery in jshERP up to 3.6 allows remote attackers to probe internal services via manipulated platform configuration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Server-Side Request Forgery in jshERP up to 3.6 allows remote attackers to probe internal services via manipulated platform configuration.

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in the platformConfig Add Endpoint of jishenghua jshERP up to version 3.6. The flaw resides in the insertPlatformConfig function within PlatformConfigService.java. By manipulating the platformValue argument when the platformKey is set to weixinUrl, an attacker can cause the application to make arbitrary outbound HTTP GET requests.

Exploitation

An attacker can exploit this vulnerability by sending a POST request to the /platformConfig/add endpoint with a JSON payload containing "platformKey": "weixinUrl" and "platformValue": "<malicious_url>". This configuration is stored in the database. Subsequently, when the system attempts to invoke WeChat-related functions like getAccessToken, getUserByWeixinCode, or weixinBind, it retrieves the stored malicious URL and passes it to an HTTP client without proper validation, triggering the SSRF.

Impact

Successful exploitation allows an attacker to perform arbitrary outbound HTTP GET requests. This can be used to probe internal services, access cloud metadata endpoints, or bypass network restrictions, potentially leading to information disclosure or further compromise of internal systems. The attack can be performed remotely.

Mitigation

The project has been informed of the vulnerability, but as of the available references, no patch or fixed version has been released, and no workaround is currently disclosed. The project has not responded to the issue report [2].

References
  1. [security] Stored SSRF in jshERP-boot

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Jishenghua/Jsherpreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <3.6

Patches

1
8f28e7c2fe54

更新版本号为V3.6

https://github.com/jishenghua/jshERPjishenghuaNov 24, 2025Fixed in 3.6via release-tag
commit
3 files changed · +3 3
  • jshERP-boot/pom.xml+1 1 modified
    @@ -4,7 +4,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.jsh</groupId>
 	<artifactId>jshERP-boot</artifactId>
-	<version>3.5-SNAPSHOT</version>
+	<version>3.6-SNAPSHOT</version>
 	<packaging>jar</packaging>
 
 	<name>jshERP-boot</name>
  • jshERP-web/src/components/layouts/UserLayout.vue+1 1 modified
    @@ -12,7 +12,7 @@
                 <a-col>

                   <a href="/">

                     <span class="title">{{systemTitle}}</span>

-                    <small class="desc">V3.5</small>

+                    <small class="desc">V3.6</small>

                   </a>

                 </a-col>

               </a-row>
  • jshERP-web/src/views/dashboard/IndexChart.vue+1 1 modified
    @@ -133,7 +133,7 @@
               </div>

               <a-button type="link" v-if="showWeixinSpan()">管伊佳ERP微信小程序</a-button>

             </a-popover>

-            &copy; 2015-2030 {{systemTitle}} V3.5

+            &copy; 2015-2030 {{systemTitle}} V3.6

           </div>

           <a-tag v-if="tenant.type==0" color="blue">试用到期:{{tenant.expireTime}}</a-tag>

           <a-tag v-if="tenant.type==0" color="blue">试用用户:{{tenant.userCurrentNum}}/{{tenant.userNumLimit}}</a-tag>

Vulnerability mechanics

Root cause

"The system fails to validate user-supplied URLs before using them in outbound HTTP requests."

Attack vector

An attacker with administrative privileges can submit a malicious URL via the POST /platformConfig/add endpoint by setting the platformKey to weixinUrl and the platformValue to a target URL [ref_id=1]. This URL is then persisted in the database. Subsequently, when the system invokes WeChat-related functions, it retrieves the stored URL and passes it to an HTTP client without validation, enabling the execution of arbitrary outbound HTTP GET requests [ref_id=1].

Affected code

The vulnerability lies within the `insertPlatformConfig` function in `PlatformConfigService.java`, which handles the insertion of platform configuration. The `getAccessToken` function in the same service retrieves the stored `platformValue` and concatenates it with constants before passing it to `HttpClient.httpGet()` in `HttpClient.java` for execution [ref_id=1].

What the fix does

The patch addresses the vulnerability by adding input validation to the `platformValue` before it is persisted. Specifically, it checks if the `platformValue` is a valid URL. If the value is not a valid URL, it will not be saved, thus preventing the injection of malicious URLs that could be used for SSRF attacks [patch_id=5162359].

Preconditions

  • authThe attacker must have administrative privileges to access the /platformConfig/add endpoint.
  • inputThe attacker must be able to control the `platformValue` parameter when `platformKey` is set to 'weixinUrl'.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.