CVE-2026-6220 - Vulnerability Details

- HummerRisk Video File Download URL ServerService.java ServerService.addServer server-side request forgery

Description

A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-13

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the Video File Download URL Handler of HummerRisk up to version 1.5.0, where the ServerService.addServer function accepts a manipulated streamIp argument. This manipulation enables server‑side request forgery, allowing an attacker to cause the server to initiate requests to arbitrary destinations without authentication. The vulnerability is publicly exploitable and can be launched remotely.

Affected Systems

The affected product is HummerRisk’s Video File Download URL Handler component. All installations running version 1.5.0 or earlier are vulnerable. No specific vendors beyond HummerRisk are listed, and the vendor has yet to publish a fix.

Risk and Exploitability

The CVSS base score of 5.1 indicates a moderate severity. The EPSS score is not available, but the presence of a publicly available exploit and the ability to launch it remotely raise the exploitation likelihood. The vulnerability is not included in the CISA KEV catalog, suggesting limited documented exploitation at this time. The attack vector is inferred to be remote, as the description notes that the attack can be launched remotely and no local user privileges are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

HummerRisk

affected

Version	Status	Constraints
`1.0`	affected	—
`1.1`	affected	—
`1.2`	affected	—
`1.3`	affected	—
`1.4`	affected	—
`1.5.0`	affected	—

No data.

Vendor Product Confidence Versions

Hummerrisk

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—
`1.1`	affected	generic	—
`1.2`	affected	generic	—
`1.3`	affected	generic	—
`1.4`	affected	generic	—
`1.5.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the HummerRisk website or trusted security bulletins for a patch or update that addresses the SSRF issue, and apply it immediately when available.
If a patch has not yet been released, restrict outbound network traffic from the impacted server to only known trusted endpoints so that any unintended requests cannot reach internal resources.
Continuously monitor application logs for abnormal outbound requests generated by the ServerService.addServer method, and investigate any suspicious patterns or failures.

Generated by OpenCVE AI on April 13, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ccccccctiiiiiiii-lab/public_exp/issues/1
https://vuldb.com/submit/785855
https://vuldb.com/vuln/357141
https://vuldb.com/vuln/357141/cti

History

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hummerrisk Hummerrisk hummerrisk
Vendors & Products		Hummerrisk Hummerrisk hummerrisk

Tue, 14 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		HummerRisk Video File Download URL ServerService.java ServerService.addServer server-side request forgery
Weaknesses		CWE-918
References		https://github.com/ccccccctiiiiiiii-lab/public_exp/issues/1 https://vuldb.com/submit/785855 https://vuldb.com/vuln/357141 https://vuldb.com/vuln/357141/cti
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Hummerrisk Hummerrisk

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-13T21:00:14.084Z

Updated: 2026-04-14T13:45:56.944Z

Reserved: 2026-04-13T13:29:41.246Z

Link: CVE-2026-6220

Vulnrichment

Updated: 2026-04-14T13:45:53.434Z

NVD

Status : Received

Published: 2026-04-13T22:16:30.550

Modified: 2026-04-13T22:16:30.550

Link: CVE-2026-6220

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:33:12Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object