CVE-2026-3750 - Vulnerability Details

- ContiNew Admin Storage Management S3ClientFactory.java URI.create server-side request forgery

Description

A security vulnerability has been detected in ContiNew Admin up to 4.2.0. This issue affects the function URI.create of the file continew-system/src/main/java/top/continew/admin/system/factory/S3ClientFactory.java of the component Storage Management Module. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-08

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the URI.create call inside S3ClientFactory.java of ContiNew Admin’s Storage Management Module, allowing manipulation of the target URI. This can cause the application to perform arbitrary outbound HTTP requests to any address supplied by an attacker. The effect can range from accessing internal services to exfiltrating data; however, the exact extent depends on the environment and is inferred from the nature of the vulnerability.

Affected Systems

ContiNew Admin versions up to and including 4.2.0 are affected. Users of 4.2.0 or earlier who have not applied a workaround are at risk. No other vendors or product versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, while the EPSS score signals a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector—inferred from the description—is remote, with an attacker sending crafted requests to the storage‑management endpoint that trigger the SSRF behavior. Successful exploitation would allow the server to reach arbitrary URLs, potentially enabling further attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

ContiNew Admin

affected

Version	Status	Constraints
`4.0`	affected	—
`4.1`	affected	—
`4.2.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:continew:continew_admin:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Continew

Continew Admin

70%

Version	Status	Scheme	Platform
`4.0`	affected	generic	—
`4.1`	affected	generic	—
`4.2.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ContiNew Admin to a release newer than 4.2.0 that removes or protects the vulnerable URI.create call.
If an upgrade is not immediately possible, disable or remove the S3 storage integration until a fix is available.
Implement network segmentation or firewall rules to restrict outbound connections from the ContiNew Admin server to only the IP addresses of authorized S3 buckets or other approved endpoints.

Generated by OpenCVE AI on April 16, 2026 at 10:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/?ctiid.349728
https://vuldb.com/?id.349728
https://vuldb.com/?submit.768033
https://www.notion.so/ContiNew-Admin-Server-Side-Request-Forgery-SSRF-vulnerability-in-storage-management-module-313ea92a3c4180b897f5e6352906bf1f

History

Wed, 11 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:continew:continew_admin::::::::

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Continew Continew continew Admin
Vendors & Products		Continew Continew continew Admin

Sun, 08 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in ContiNew Admin up to 4.2.0. This issue affects the function URI.create of the file continew-system/src/main/java/top/continew/admin/system/factory/S3ClientFactory.java of the component Storage Management Module. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		ContiNew Admin Storage Management S3ClientFactory.java URI.create server-side request forgery
Weaknesses		CWE-918
References		https://vuldb.com/?ctiid.349728 https://vuldb.com/?id.349728 https://vuldb.com/?submit.768033 https://www.notion.so/ContiNew-Admin-Server-Side-Request-Forgery-SSRF-vulnerability-in-storage-management-module-313ea92a3c4180b897f5e6352906bf1f
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Continew Continew Admin

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-08T16:32:07.822Z

Updated: 2026-03-11T19:36:46.340Z

Reserved: 2026-03-07T20:25:59.931Z

Link: CVE-2026-3750

Vulnrichment

Updated: 2026-03-11T19:36:43.216Z

NVD

Status : Analyzed

Published: 2026-03-08T17:16:08.467

Modified: 2026-03-10T18:57:37.130

Link: CVE-2026-3750

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T10:45:26Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object