{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-16T13:49:11.224","vulnerabilities":[{"cve":{"id":"CVE-2026-3189","sourceIdentifier":"cna@vuldb.com","published":"2026-02-25T17:25:42.470","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: \"We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols.\""},{"lang":"es","value":"Se ha identificado una debilidad en feiyuchuixue sz-boot-parent hasta 1.3.2-beta. Esta vulnerabilidad afecta código desconocido del archivo /API/admin/common/files/download. La ejecución de una manipulación del argumento url puede conducir a falsificación de petición del lado del servidor. El ataque puede ejecutarse de forma remota. Los ataques de esta naturaleza son altamente complejos. Se afirma que la explotabilidad es difícil. La actualización a la versión 1.3.3-beta es capaz de resolver este problema. Este parche se llama aefaabfd7527188bfba3c8c9eee17c316d094802. Se aconseja actualizar el componente afectado. El proyecto fue informado de antemano y actuó de manera muy profesional: 'Hemos añadido una validación de lista blanca de protocolo URL a la interfaz de descarga de archivos, permitiendo solo los protocolos HTTP y HTTPS.'"}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:H/Au:S/C:P/I:N/A:N","baseScore":2.1,"accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/feiyuchuixue/sz-boot-parent/","source":"cna@vuldb.com"},{"url":"https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802","source":"cna@vuldb.com"},{"url":"https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta","source":"cna@vuldb.com"},{"url":"https://github.com/yuccun/CVE/blob/main/sz-boot-parent-SSRF_and_Arbitrary_File_Read.md","source":"cna@vuldb.com"},{"url":"https://vuldb.com/?ctiid.347747","source":"cna@vuldb.com"},{"url":"https://vuldb.com/?id.347747","source":"cna@vuldb.com"},{"url":"https://vuldb.com/?submit.754042","source":"cna@vuldb.com"}]}}]}