CVE-2026-4955 - Vulnerability Details

Description

A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-27

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Shenzhen Ruiming Technology Streamax Crocus 1.3.44 contains a flaw in the OperateStatistic.do servlet where the VehicleID parameter is concatenated directly into SQL statements. An attacker who can reach the web interface can supply a crafted VehicleID value to inject arbitrary SQL. This flaw is a textbook example of CWE-89 (SQL Injection) combined with improper encoding (CWE-74) and can lead to unauthorized data disclosure, modification, or even remote code execution if the database connection is granted excessive privileges. The vulnerability is exploitable over the network without authentication.

Affected Systems

The affected product is Shenzhen Ruiming Technology Streamax Crocus version 1.3.44. No other versions or products are listed as vulnerable in the available data.

Risk and Exploitability

The CVSS score for this vulnerability is 6.9, which places it in the medium severity range. The EPSS score is not available, but the vulnerability is publicly disclosed and an exploit has been made available. The attack can be launched remotely by sending a specially crafted HTTP request to OperateStatistic.do. Because the flaw allows SQL injection, attackers could exfiltrate sensitive data or elevate privileges, potentially compromising the entire system. Although the vulnerability is not yet listed in the CISA KEV catalog, the presence of a public exploit and the remote nature of the attack vector mean that systems running this product should be treated as high risk until a patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Shenzhen Ruiming Technology

Streamax Crocus

affected

Version	Status	Constraints
`1.3.44`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Streamax Crocus to the latest version which fixes the OperateStatistic.do SQL injection vulnerability.
If a fix is not available, restrict access to OperateStatistic.do, allowing only trusted IP addresses, or block the endpoint entirely.
Implement a web application firewall that filters the VehicleID parameter for SQL injection patterns.
Reduce database privileges for the application to the least privilege needed, preventing potential data exfiltration or command execution.
Enable comprehensive logging of queries to detect injection attempts and investigate anomalies.

Generated by OpenCVE AI on March 27, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://my.feishu.cn/docx/C16HdO89zo9OCrxn5B2c8bTqnvb?from=from_copylink
https://vuldb.com/?ctiid.353143
https://vuldb.com/?id.353143
https://vuldb.com/?submit.776083
https://vuldb.com/?submit.778514

History

Fri, 27 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Shenzhen Ruiming Technology Streamax Crocus OperateStatistic.do sql injection
Weaknesses		CWE-74 CWE-89
References		https://my.feishu.cn/docx/C16HdO89zo9OCrxn5B2c8bTqnvb?from=from_copylink https://vuldb.com/?ctiid.353143 https://vuldb.com/?id.353143 https://vuldb.com/?submit.776083 https://vuldb.com/?submit.778514
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-27T14:51:41.253Z

Updated: 2026-03-27T19:57:55.525Z

Reserved: 2026-03-27T07:55:11.697Z

Link: CVE-2026-4955

Vulnrichment

Updated: 2026-03-27T18:51:38.831Z

NVD

Status : Received

Published: 2026-03-27T15:17:03.110

Modified: 2026-03-27T15:17:03.110

Link: CVE-2026-4955

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:28:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object