Description
A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: "We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols."
Published: 2026-02-25
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

The vulnerability is a server‑side request forgery in feiyuchuixue’s sz‑boot‑parent, triggered by manipulating the url argument to the /api/admin/common/files/download endpoint. A remote attacker can cause the application to send arbitrary HTTP requests to any target chosen by the attacker. The description notes that the exploit is highly complex and difficult, so the likelihood of successful exploitation in the wild is low. However, a successful SSRF could expose internal services or allow data exfiltration, and it is identified as CWE‑918.

Affected Systems

The flaw exists in all releases of sz‑boot‑parent up to and including 1.3.2‑beta. The project has released version 1.3.3‑beta, which implements a protocol whitelist that allows only http and https URLs in the download interface. Users running any earlier version are susceptible.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity rating, and the EPSS score of less than 1% combined with a non‑listed status in the KEV catalog suggests that widespread exploitation is unlikely. Because the attack vector is remote and the exploitation process is complex, the overall risk is moderate. Nonetheless, organizations should still address the issue promptly to eliminate the SSRF surface area.

Generated by OpenCVE AI on April 17, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade sz‑boot‑parent to version 1.3.3‑beta or later, which includes a whitelist that permits only http and https protocols.
  • If an immediate upgrade is not feasible, restrict the download endpoint by validating the url parameter so that only http and https schemes are accepted and all other protocols are rejected.
  • Monitor the application’s outbound HTTP traffic for unexpected requests as an early detection of potential SSRF exploitation.

Generated by OpenCVE AI on April 17, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Feiyuchuixue
Feiyuchuixue sz-boot-parent
Vendors & Products Feiyuchuixue
Feiyuchuixue sz-boot-parent

Wed, 25 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: "We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols."
Title feiyuchuixue sz-boot-parent download server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Feiyuchuixue Sz-boot-parent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T20:18:20.086Z

Reserved: 2026-02-25T08:32:16.087Z

Link: CVE-2026-3189

cve-icon Vulnrichment

Updated: 2026-02-25T20:18:10.723Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T17:25:42.470

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-3189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses