VYPR

Vendor CVEs

Crmeb

All CVEs

38 total · sorted by risk
  • CVE-2026-10771HigJun 3, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in…

  • CVE-2026-1202HigJan 20, 2026
    risk 0.47cvss 7.3epss 0.01

    A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to…

  • CVE-2025-11288MedOct 5, 2025
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing of the file /adminapi/product/product of the component GET Parameter Handler. Performing a manipulation of the argument cate_id results in sql injection. Remote exploitation of the…

  • CVE-2025-10391MedSep 14, 2025
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the function testOutUrl of the file app/services/out/OutAccountServices.php. The manipulation of the argument push_token_url leads to server-side request forgery. Remote exploitation of the…

  • CVE-2025-2365MedMar 17, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity reference. The attack may be launched remotely.…

  • CVE-2026-1203MedJan 20, 2026
    risk 0.36cvss 5.6epss 0.01

    A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication.…

  • CVE-2025-11290MedOct 5, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack…

  • CVE-2025-10390MedSep 14, 2025
    risk 0.35cvss 5.4epss 0.00

    A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The…

  • CVE-2025-10389MedSep 14, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization.…

  • CVE-2025-15443MedJan 4, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available…

  • CVE-2025-15442MedJan 4, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed…

  • CVE-2026-1733MedFeb 1, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The…

  • CVE-2024-36837Jun 5, 2024
    risk 0.07cvss epss 0.08

    SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.

  • CVE-2024-52726Nov 22, 2024
    risk 0.03cvss epss 0.02

    CRMEB v5.4.0 is vulnerable to Arbitrary file read in the save_basics function which allows an attacker to obtain sensitive information

  • CVE-2024-6944Jul 21, 2024
    risk 0.02cvss epss 0.04

    A vulnerability was found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this issue is the function get_image_base64 of the file PublicController.php. The manipulation of the argument file leads to deserialization. The attack may be launched remotely.…

  • CVE-2026-1734Feb 1, 2026
    risk 0.00cvss epss 0.00

    A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be…

  • CVE-2025-25763Mar 6, 2025
    risk 0.00cvss epss 0.01

    crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDatabackupServices.php

  • CVE-2024-50653Nov 15, 2024
    risk 0.00cvss epss 0.01

    CRMEB <=5.4.0 is vulnerable to Incorrect Access Control. Users can bypass the front-end restriction of only being able to claim coupons once by capturing packets and sending a large number of data packets for coupon collection, achieving unlimited coupon collection.

  • CVE-2024-6943Jul 21, 2024
    risk 0.00cvss epss 0.01

    A vulnerability has been found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this vulnerability is the function downloadImage of the file app/services/product/product/CopyTaobaoServices.php. The manipulation leads to deserialization. The attack can…

  • CVE-2024-33117May 6, 2024
    risk 0.00cvss epss 0.00

    crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the mergeList method in class com.zbkj.front.pub.ImageMergeController.

  • CVE-2024-28714Mar 28, 2024
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter.

  • CVE-2024-24110Feb 29, 2024
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in crmeb_java before v1.3.4 allows attackers to run arbitrary SQL commands via crafted GET request to the component /api/front/spread/people.

  • CVE-2024-25469Feb 23, 2024
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list component.

  • CVE-2024-1704Feb 21, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been declared as critical. This vulnerability affects the function save/delete of the file /adminapi/system/crud. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be…

  • CVE-2024-1703Feb 21, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may…

  • CVE-2023-3234Jun 14, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been declared as problematic. Affected by this vulnerability is the function put_image of the file api/controller/v1/PublicController.php. The manipulation leads to deserialization. The attack can be launched…

  • CVE-2023-3233Jun 14, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been classified as critical. Affected is the function get_image_base64 of the file api/controller/v1/PublicController.php. The manipulation leads to server-side request forgery. It is possible to launch the attack…

  • CVE-2023-3232Jun 14, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in Zhong Bang CRMEB up to 4.6.0 and classified as critical. This issue affects some unknown processing of the file /api/wechat/app_auth of the component Image Upload. The manipulation leads to deserialization. The exploit has been disclosed to the…

  • CVE-2023-30185May 8, 2023
    risk 0.00cvss epss 0.01

    CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php.

  • CVE-2023-2419Apr 29, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in Zhong Bang CRMEB 4.6.0. It has been declared as critical. This vulnerability affects the function videoUpload of the file \crmeb\app\services\system\attachment\SystemAttachmentServices.php. The manipulation of the argument filename leads to…

  • CVE-2023-1609Mar 23, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been rated as problematic. This issue affects the function save of the file /api/admin/store/product/save. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has…

  • CVE-2023-1608Mar 23, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been declared as critical. This vulnerability affects the function getAdminList of the file /api/admin/store/product/list. The manipulation of the argument cateId leads to sql injection. The attack can be…

  • CVE-2023-25223Mar 7, 2023
    risk 0.00cvss epss 0.01

    CRMEB <=1.3.4 is vulnerable to SQL Injection via /api/admin/user/list.

  • CVE-2023-1165Mar 3, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in Zhong Bang CRMEB Java 1.3.4. It has been classified as critical. This affects an unknown part of the file /api/admin/system/store/order/list. The manipulation of the argument keywords leads to sql injection. The exploit has been disclosed to the…

  • CVE-2022-44343Feb 6, 2023
    risk 0.00cvss epss 0.01

    CRMEB 4.4.4 is vulnerable to Any File download.

  • CVE-2020-21787Jun 24, 2021
    risk 0.00cvss epss 0.02

    CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.

  • CVE-2020-21788Jun 24, 2021
    risk 0.00cvss epss 0.01

    In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php.

  • CVE-2020-25466Oct 23, 2020
    risk 0.00cvss epss 0.03

    A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code.