Description
A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argument jdbcUrl results in deserialization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the testConnection endpoint of the ADP Application Developer Platform. An attacker can manipulate the jdbcUrl argument to trigger deserialization of untrusted data, a flaw classified under CWE-502 and weak input validation (CWE-20). This can lead to remote code execution or other forms of arbitrary code execution if the deserialized objects are crafted maliciously. The built‑in deserialization mechanism is exposed to external input, allowing an attacker to send crafted payloads that may be executed on the server, compromising confidentiality, integrity, and availability of the application.

Affected Systems

zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0 is affected. The flaw is located in an unknown part of the testConnection component, with no other versions or components listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the use of deserialization elevates the risk. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. The vulnerability can be exploited remotely; the attack vector involves sending a specially crafted jdbcUrl parameter. The public exploitation of this flaw confirms its potential impact and that attackers can attempt it from outside the network.

Generated by OpenCVE AI on June 21, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch or upgrade to a newer version of the ADP Application Developer Platform where deserialization is properly protected or removed.
  • Restrict access to the testConnection endpoint, limiting it to trusted networks or internal hosts to reduce exposure.
  • Implement strict input validation and sanitization for the jdbcUrl parameter, rejecting or escaping any unexpected data before it can be deserialized.
  • Consider disabling default deserialization mechanisms or using safe deserialization libraries that require explicit class handling.

Generated by OpenCVE AI on June 21, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argument jdbcUrl results in deserialization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 testConnection Endpoint deserialization
First Time appeared Zhilink
Zhilink adp Application Developer Platform
Weaknesses CWE-20
CWE-502
CPEs cpe:2.3:a:zhilink_:adp_application_developer_platform_:*:*:*:*:*:*:*:*
Vendors & Products Zhilink
Zhilink adp Application Developer Platform
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Zhilink Adp Application Developer Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-22T17:18:38.928Z

Reserved: 2026-06-20T09:58:40.593Z

Link: CVE-2026-12787

cve-icon Vulnrichment

Updated: 2026-06-22T17:18:34.991Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T12:00:16Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-502

    Deserialization of Untrusted Data