Description
A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus up to 1.3.44. Affected is an unknown function of the file /RemoteFormat.do of the component Endpoint. Such manipulation of the argument State leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection arising from an unsanitized "State" parameter in the RemoteFormat.do endpoint. This flaw permits an attacker to execute arbitrary SQL commands against the backend database, enabling unauthorized data access, modification, or deletion. The weakness is a combination of improper URL parameter handling (CWE‑74) and direct SQL injection (CWE‑89).

Affected Systems

Shenzhen Ruiming Technology’s Streamax Crocus product, versions up to and including 1.3.44, are vulnerable. No other releases are listed as affected.

Risk and Exploitability

The CVSS score of 6.9 denotes medium‑to‑high severity, while the EPSS score of less than 1% indicates a low current exploitation probability. The flaw is not present in the CISA KEV catalog. It can be exploited remotely via standard HTTP requests that include a malicious State value, as the description states global remote attack capability.

Generated by OpenCVE AI on March 28, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Streamax Crocus to any version newer than 1.3.44 or install a vendor‑issued patch that eliminates the unsafe State handling.
  • If an immediate upgrade is not feasible, restrict RemoteFormat.do access to trusted hosts only and enforce firewall rules to block exploit traffic.
  • Deploy a web‑application firewall configured to detect and block SQL injection patterns in the State parameter, and monitor logs for abnormal query activity.

Generated by OpenCVE AI on March 28, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus bis 1.3.44. Affected is an unknown function of the file /RemoteFormat.do of the component Endpoint. Such manipulation of the argument State leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus up to 1.3.44. Affected is an unknown function of the file /RemoteFormat.do of the component Endpoint. Such manipulation of the argument State leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Ruiming Technology
Shenzhen Ruiming Technology streamax Crocus
Vendors & Products Shenzhen Ruiming Technology
Shenzhen Ruiming Technology streamax Crocus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus bis 1.3.44. Affected is an unknown function of the file /RemoteFormat.do of the component Endpoint. Such manipulation of the argument State leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Shenzhen Ruiming Technology Streamax Crocus Endpoint RemoteFormat.do sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Shenzhen Ruiming Technology Streamax Crocus
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-27T22:20:39.550Z

Reserved: 2026-03-26T16:10:45.133Z

Link: CVE-2026-4910

cve-icon Vulnrichment

Updated: 2026-03-27T11:23:00.690Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T04:16:08.043

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-4910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:30:50Z

Weaknesses