CVE-2026-8320 - Vulnerability Details

- jishenghua jshERP updatePlatformConfigByKey Endpoint UserService.java getUserByWeixinCode server-side request forgery

Description

A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the component updatePlatformConfigByKey Endpoint. Such manipulation of the argument weixinUrl leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-11

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A server‑side request forgery (SSRF) vulnerability exists in the getUserByWeixinCode function of the jshERP application. By manipulating the weixinUrl argument, an attacker can instruct the server to perform HTTP requests to arbitrary URLs, including internal network resources. This can allow the attacker to make HTTP requests to internal resources that are otherwise not publicly reachable.

Affected Systems

The vulnerability affects jishenghua jshERP versions up to 3.6, specifically the updatePlatformConfigByKey endpoint that invokes getUserByWeixinCode in the UserService module. No other products or vendors are reported to be affected.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate overall severity. The EPSS score is not available, so the precise likelihood of exploitation is uncertain, but the exploit has been publicly disclosed and may be used. The vulnerability is currently not listed in the CISA KEV catalog, suggesting it has not been widely reported in operational environments. The attack is remotely accessible by supplying a crafted weixinUrl value, and it requires no additional authentication or privileged access beyond the normal API usage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jishenghua

jshERP

affected

Version	Status	Constraints
`3.0`	affected	—
`3.1`	affected	—
`3.2`	affected	—
`3.3`	affected	—
`3.4`	affected	—
`3.5`	affected	—
`3.6`	affected	—

No data.

Vendor Product Confidence Versions

Jishenghua

Jsherp

100%

Version	Status	Scheme	Platform
`3.0`	affected	generic	—
`3.1`	affected	generic	—
`3.2`	affected	generic	—
`3.3`	affected	generic	—
`3.4`	affected	generic	—
`3.5`	affected	generic	—
`3.6`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any available patch or upgrade jshERP to a version that fixes the SSRF flaw.
Restrict outbound traffic from the jshERP application, allowing requests only to trusted, whitelisted domains or via an approved proxy.
Validate the weixinUrl parameter at the application layer, enforcing a whitelist of acceptable protocols and hostnames and rejecting any attempt to use file:, localhost, or internal IP ranges.
Monitor server logs for unusual outgoing requests and generate alerts for any attempts to contact non‑whitelisted URLs.

Generated by OpenCVE AI on May 11, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/jishenghua/jshERP/
https://github.com/jishenghua/jshERP/issues/152
https://vuldb.com/submit/811303
https://vuldb.com/vuln/362607
https://vuldb.com/vuln/362607/cti

History

Mon, 11 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the component updatePlatformConfigByKey Endpoint. Such manipulation of the argument weixinUrl leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		jishenghua jshERP updatePlatformConfigByKey Endpoint UserService.java getUserByWeixinCode server-side request forgery
First Time appeared		Jishenghua Jishenghua jsherp
Weaknesses		CWE-918
CPEs		cpe:2.3:a:jishenghua:jsherp::::::::
Vendors & Products		Jishenghua Jishenghua jsherp
References		https://github.com/jishenghua/jshERP/ https://github.com/jishenghua/jshERP/issues/152 https://vuldb.com/submit/811303 https://vuldb.com/vuln/362607 https://vuldb.com/vuln/362607/cti
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jishenghua Jsherp

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-11T19:30:11.376Z

Updated: 2026-05-11T20:27:44.656Z

Reserved: 2026-05-11T13:33:44.950Z

Link: CVE-2026-8320

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-11T20:25:48.363

Modified: 2026-05-12T16:38:54.943

Link: CVE-2026-8320

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T00:00:03Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object