Description
A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unknown function of the file frostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.java of the component Alarm Preview. Executing a manipulation can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) enabling remote attackers to direct the application to perform arbitrary network requests.
Action: Patch Now
AI Analysis

Impact

The flaw resides in an unidentified function of AlarmController.java within the Alarm Preview component of AutohomeCorp’s frostmourne. By manipulating input, an attacker can trigger the server to issue HTTP requests to arbitrary URLs, potentially accessing internal services or exfiltrating data from the network.

Affected Systems

All installations of AutohomeCorp’s frostmourne component running version 1.0 or earlier are affected, regardless of additional configuration. The vulnerability is present in the Alarm Preview module of the product and is not limited to a specific deployment environment.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as medium severity, yet the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed remotely, requiring only crafted requests to the affected endpoint. Even without widespread exploitation at this time, the ability to force outbound connections represents a tangible risk for further internal compromise and warrants prompt remediation.

Generated by OpenCVE AI on April 1, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade frostmourne to a patched version newer than 1.0 or apply any vendor‑released fix.
  • Restrict the application’s outbound network access to approved destinations to limit the impact of potential SSRF attacks.
  • Monitor application logs for unexpected outbound requests to ensure the mitigation remains effective.

Generated by OpenCVE AI on April 1, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Autohomecorp
Autohomecorp frostmourne
Vendors & Products Autohomecorp
Autohomecorp frostmourne

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unknown function of the file frostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.java of the component Alarm Preview. Executing a manipulation can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Title AutohomeCorp frostmourne Alarm Preview AlarmController.java server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Autohomecorp Frostmourne
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T11:42:16.770Z

Reserved: 2026-03-31T16:22:43.175Z

Link: CVE-2026-5259

cve-icon Vulnrichment

Updated: 2026-04-01T11:42:12.646Z

cve-icon NVD

Status : Deferred

Published: 2026-04-01T08:16:05.723

Modified: 2026-04-24T18:12:06.580

Link: CVE-2026-5259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:01Z

Weaknesses