Description
A vulnerability was identified in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3. The impacted element is the function Save of the file paicoding-web/src/main/java/com/github/paicoding/forum/web/common/image/rest/ImageRestController.java of the component Image Save Endpoint. Such manipulation of the argument img leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Apply Patch Immediately
AI Analysis

Impact

An attacker can manipulate the img parameter in the image save endpoint of itwanger paicoding to trigger the application to make arbitrary outbound requests. This server‑side request forgery can expose internal resources, potentially exfiltrate data, or allow the attacker to interact with protected services. The weakness corresponds to CWE‑918, a request‑to‑server hijack that grants unauthorized network access.

Affected Systems

The vulnerability exists in itwanger paicoding versions 1.0.0 through 1.0.3. The affected code resides in the ImageRestController within the paicoding‑web component. Users running any of these releases on a production or exposed environment are susceptible unless the endpoint is insulated by network controls.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at this time, though the vulnerability is publicly documented and could be leveraged opportunistically. The patch status is unknown, but because the attack vector is remote and the exploit is available, the risk warrants prompt action. No entry in CISA's KEV catalog is yet present, which indicates it is not a widely used exploit yet, yet the potential for internal compromise remains.

Generated by OpenCVE AI on April 17, 2026 at 14:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch for itwanger paicoding once released; if a patch is not yet available, upgrade to a version that includes the fix.
  • If upgrading is not possible, restrict external access to the image upload endpoint, allowing only trusted hosts to submit requests.
  • Configure input validation or a whitelist for the img parameter to ensure only permitted URLs or data are processed.

Generated by OpenCVE AI on April 17, 2026 at 14:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:itwanger:paicoding:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:itwanger:paicoding:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:itwanger:paicoding:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:itwanger:paicoding:1.0.3:*:*:*:*:*:*:*

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3. The impacted element is the function Save of the file paicoding-web/src/main/java/com/github/paicoding/forum/web/common/image/rest/ImageRestController.java of the component Image Save Endpoint. Such manipulation of the argument img leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title itwanger paicoding Image Save Endpoint ImageRestController.java save server-side request forgery
First Time appeared Itwanger
Itwanger paicoding
Weaknesses CWE-918
CPEs cpe:2.3:a:itwanger:paicoding:*:*:*:*:*:*:*:*
Vendors & Products Itwanger
Itwanger paicoding
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itwanger Paicoding
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-27T18:51:00.595Z

Reserved: 2026-02-26T16:41:15.592Z

Link: CVE-2026-3286

cve-icon Vulnrichment

Updated: 2026-02-27T18:50:55.576Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T04:16:03.770

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses