CVE-2026-3189

Source
https://cve.org/CVERecord?id=CVE-2026-3189
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3189.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-3189
Published
2026-02-25T16:02:09.732Z
Modified
2026-07-15T20:06:14.909545Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X CVSS Calculator
Summary
feiyuchuixue sz-boot-parent download server-side request forgery
Details

A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: "We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols."

Database specific
{
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/3xxx/CVE-2026-3189.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/feiyuchuixue/sz-boot-parent

Affected ranges

Type
GIT
Repo
https://github.com/feiyuchuixue/sz-boot-parent
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.3.2-beta"
        },
        {
            "last_affected": "1.3.2-beta"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.3.2-beta
v1.*
v1.3.2-beta

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "323699978759532718635517452930014157374",
                "278512815284875105518285646130543054351",
                "36593422020877463883026974281695531237",
                "272061730393614553358149570337127224283",
                "53103655436858705070311452962028882628",
                "44075739219662578324712019844678751771",
                "327294547989315988770463799345714587219",
                "239202637047055361717084429664878585266",
                "286830467102291430063201447598526686506",
                "278046516090588714991238521370842759171",
                "458335260742716500581542517133734864",
                "216810359571802661167438494342302831140",
                "323131193342097975444505137381207414144",
                "94591104986195072435463028310334849886",
                "301282123361441700893620100181908019869"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-3189-03a875f0",
        "target": {
            "file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/CommonServiceImpl.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "91968328190997309201035462725446067993",
            "length": 1084.0
        },
        "deprecated": false,
        "id": "CVE-2026-3189-1a1f17cb",
        "target": {
            "function": "upload",
            "file": "sz-common/sz-common-oss/src/main/java/com/sz/oss/OssClient.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "148515232992734810439385593609049960115",
            "length": 1350.0
        },
        "deprecated": false,
        "id": "CVE-2026-3189-6dbb5e1a",
        "target": {
            "function": "tempDownload",
            "file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/CommonServiceImpl.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "308803253615992416229235436819114806219",
            "length": 468.0
        },
        "deprecated": false,
        "id": "CVE-2026-3189-7b4f6945",
        "target": {
            "function": "uploadFile",
            "file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/SysFileServiceImpl.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "277942120457754224802171963001660316056",
                "88837087369728294789047350726325442175",
                "235235260745382181237867899821030565974",
                "15742790080606154877780864469318451144",
                "231192593096753076971379037027650252815",
                "283608100241087537028963326420930173127",
                "305846107919889889682150550143677653953",
                "313352502671975385882582273382790166756"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-3189-863be5ed",
        "target": {
            "file": "sz-common/sz-common-core/src/main/java/com/sz/core/common/enums/CommonResponseEnum.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "225278081170458871218076099460204604216",
            "length": 611.0
        },
        "deprecated": false,
        "id": "CVE-2026-3189-99ab2139",
        "target": {
            "function": "urlDownload",
            "file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/CommonServiceImpl.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "103138851156029986833163544553542688400",
                "109618906410909670291605387106640317792",
                "60778242656958474165163829742022739704",
                "196975535504903561188456788947563278753",
                "240200906823074802306116717207224145263",
                "337650335776309080559168071809135516213",
                "140067407883095246107825187588006492025",
                "42294433730485082846360042258796992520",
                "239791871285488964924840426468120753147",
                "180561142787809721723887880360824244471",
                "291039854275591684202010979994120181055",
                "30839313325673629537549220149649326349",
                "77685321241126713991814648024566266221"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-3189-b0bec15b",
        "target": {
            "file": "sz-common/sz-common-oss/src/main/java/com/sz/oss/OssClient.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "219440635577386967702728018467494114535",
                "274713120834129023108041582438663570771",
                "332555259173332961810998646747950140923",
                "116274267578782298374217174753197197545",
                "83214300295503441277927501406928722994",
                "245551531657935898725553262143855049599",
                "303812482602061557159547400622892344696",
                "243015244187948900821873619343399406478",
                "36155483903363266227726369675222470404",
                "302677085514228203606156016271870625560",
                "79729122850387585055962612807087702634",
                "280436730576346234974564080073639337604",
                "296284648725456880477082201465509265358",
                "338572306453143723672042702560475775543",
                "15337108793607785757019877705392563981",
                "78418422176974080163608964182484926822",
                "290008086871022100423469916381280328026",
                "227412099732104436736556730522483151363",
                "32384376755146565297952128543851637210",
                "247367233454898545863512972355923508535",
                "288935083785579605236106196027180320286",
                "159159567493344269134286897692888767198"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-3189-d3a4ab97",
        "target": {
            "file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/SysFileServiceImpl.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "247997219865391784818402276383106638516",
                "82476260474160191190619696386489110591"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-3189-f2e197dc",
        "target": {
            "file": "sz-common/sz-common-core/src/main/java/com/sz/core/util/Utils.java"
        }
    },
    {
        "source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "37567395144001211202463691524831225894",
                "165548830934288695250151783318675438571",
                "151277052329436100383129648884142921812",
                "258731638997879764379183999121629997132"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-3189-f8c5b70a",
        "target": {
            "file": "sz-common/sz-common-oss/src/main/java/com/sz/oss/OssProperties.java"
        }
    }
]
vanir_signatures_modified
"2026-07-15T20:06:14Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3189.json"