CVE-2026-4956 - Vulnerability Details

- Shenzhen Ruiming Technology Streamax Crocus Parameter DevicePrint.do sql injection

Description

A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter Handler. The manipulation of the argument State results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-27

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in an unknown function within the /DevicePrint.do?Action=ReadTask endpoint of Shenzhen Ruiming Technology Streamax Crocus, allowing an attacker to manipulate the State parameter and inject SQL statements. This remote SQL injection could enable unauthorized data disclosure or modification, compromising the confidentiality and integrity of the system’s database. The weakness aligns with common injection flaws identified by CWE-74 and CWE-89.

Affected Systems

Shenzhen Ruiming Technology’s Streamax Crocus version 1.3.44 is affected. The issue is specific to the Parameter Handler component handling the /DevicePrint.do?Action=ReadTask request. No other versions or components are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity level, but the exploit is public and can be launched remotely, which elevates the practical risk. EPSS data is unavailable and the vulnerability is not yet in the CISA KEV catalog. It is inferred from the description that the attack can be performed without authentication, relying solely on the vulnerable web endpoint exposed to the internet. Given the public nature of the exploit and the lack of vendor response, the likelihood of exploitation remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Shenzhen Ruiming Technology

Streamax Crocus

affected

Version	Status	Constraints
`1.3.44`	affected	—

No data.

Vendor Product Confidence Versions

Shenzhen Ruiming Technology

Streamax Crocus

100%

Version	Status	Scheme	Platform
`1.3.44`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor-released patch or update for Streamax Crocus 1.3.44 as soon as it becomes available.
If a patch is not yet available, contact Shenzhen Ruiming Technology to request an update or additional guidance.
Limit exposure by restricting network access to the /DevicePrint.do endpoint to trusted hosts or implementing IP whitelisting.
Enable web application firewalls or input validation rules to block suspicious State parameter values.
Monitor application logs for abnormal SQL query patterns or failed authentication attempts to detect potential exploitation attempts.

Generated by OpenCVE AI on March 27, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://my.feishu.cn/docx/J8fHdY906o98pax4oCacWLTKndP?from=from_copylink
https://vuldb.com/?ctiid.353833
https://vuldb.com/?id.353833
https://vuldb.com/?submit.777534

History

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Shenzhen Ruiming Technology Shenzhen Ruiming Technology streamax Crocus
Vendors & Products		Shenzhen Ruiming Technology Shenzhen Ruiming Technology streamax Crocus

Fri, 27 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter Handler. The manipulation of the argument State results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Shenzhen Ruiming Technology Streamax Crocus Parameter DevicePrint.do sql injection
Weaknesses		CWE-74 CWE-89
References		https://my.feishu.cn/docx/J8fHdY906o98pax4oCacWLTKndP?from=from_copylink https://vuldb.com/?ctiid.353833 https://vuldb.com/?id.353833 https://vuldb.com/?submit.777534
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Shenzhen Ruiming Technology Streamax Crocus

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-27T14:52:19.176Z

Updated: 2026-03-27T17:25:01.054Z

Reserved: 2026-03-27T07:55:14.698Z

Link: CVE-2026-4956

Vulnrichment

Updated: 2026-03-27T17:24:56.630Z

NVD

Status : Awaiting Analysis

Published: 2026-03-27T15:17:03.330

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-4956

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T07:01:37Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object