CVE-2026-3189
- Source
- https://cve.org/CVERecord?id=CVE-2026-3189
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3189.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-3189
- Published
- 2026-02-25T17:25:42.470Z
- Modified
- 2026-04-12T20:14:12.443291Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: "We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols."
- References
-
- https://github.com/feiyuchuixue/sz-boot-parent/
- https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
- https://github.com/yuccun/CVE/blob/main/sz-boot-parent-SSRF_and_Arbitrary_File_Read.md
- https://vuldb.com/?ctiid.347747
- https://vuldb.com/?id.347747
- https://vuldb.com/?submit.754042
- https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
Affected packages
Git / github.com/feiyuchuixue/sz-boot-parent
Affected ranges
- Type
- GIT
- Repo
- https://github.com/feiyuchuixue/sz-boot-parent
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/feiyuchuixue/sz-boot-parent
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.7.10
v0.7.11
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.9.0
v1.*
v1.0.0-beta
v1.0.1-beta
v1.1.0-beta
v1.2.0-beta
v1.2.1-beta
v1.2.2-beta
v1.2.3-beta
v1.2.4-beta
v1.2.5-beta
v1.2.6-beta
v1.3.0-beta
v1.3.1-beta
v1.3.2-beta
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3189.json"
vanir_signatures_modified
"2026-04-12T20:14:12Z"
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"threshold": 0.9,
"line_hashes": [
"323699978759532718635517452930014157374",
"278512815284875105518285646130543054351",
"36593422020877463883026974281695531237",
"272061730393614553358149570337127224283",
"53103655436858705070311452962028882628",
"44075739219662578324712019844678751771",
"327294547989315988770463799345714587219",
"239202637047055361717084429664878585266",
"286830467102291430063201447598526686506",
"278046516090588714991238521370842759171",
"458335260742716500581542517133734864",
"216810359571802661167438494342302831140",
"323131193342097975444505137381207414144",
"94591104986195072435463028310334849886",
"301282123361441700893620100181908019869"
]
},
"id": "CVE-2026-3189-03a875f0",
"deprecated": false,
"target": {
"file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/CommonServiceImpl.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"function_hash": "91968328190997309201035462725446067993",
"length": 1084.0
},
"id": "CVE-2026-3189-1a1f17cb",
"deprecated": false,
"target": {
"file": "sz-common/sz-common-oss/src/main/java/com/sz/oss/OssClient.java",
"function": "upload"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"function_hash": "148515232992734810439385593609049960115",
"length": 1350.0
},
"id": "CVE-2026-3189-6dbb5e1a",
"deprecated": false,
"target": {
"file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/CommonServiceImpl.java",
"function": "tempDownload"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"function_hash": "308803253615992416229235436819114806219",
"length": 468.0
},
"id": "CVE-2026-3189-7b4f6945",
"deprecated": false,
"target": {
"file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/SysFileServiceImpl.java",
"function": "uploadFile"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"threshold": 0.9,
"line_hashes": [
"277942120457754224802171963001660316056",
"88837087369728294789047350726325442175",
"235235260745382181237867899821030565974",
"15742790080606154877780864469318451144",
"231192593096753076971379037027650252815",
"283608100241087537028963326420930173127",
"305846107919889889682150550143677653953",
"313352502671975385882582273382790166756"
]
},
"id": "CVE-2026-3189-863be5ed",
"deprecated": false,
"target": {
"file": "sz-common/sz-common-core/src/main/java/com/sz/core/common/enums/CommonResponseEnum.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"function_hash": "225278081170458871218076099460204604216",
"length": 611.0
},
"id": "CVE-2026-3189-99ab2139",
"deprecated": false,
"target": {
"file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/CommonServiceImpl.java",
"function": "urlDownload"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"threshold": 0.9,
"line_hashes": [
"103138851156029986833163544553542688400",
"109618906410909670291605387106640317792",
"60778242656958474165163829742022739704",
"196975535504903561188456788947563278753",
"240200906823074802306116717207224145263",
"337650335776309080559168071809135516213",
"140067407883095246107825187588006492025",
"42294433730485082846360042258796992520",
"239791871285488964924840426468120753147",
"180561142787809721723887880360824244471",
"291039854275591684202010979994120181055",
"30839313325673629537549220149649326349",
"77685321241126713991814648024566266221"
]
},
"id": "CVE-2026-3189-b0bec15b",
"deprecated": false,
"target": {
"file": "sz-common/sz-common-oss/src/main/java/com/sz/oss/OssClient.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"threshold": 0.9,
"line_hashes": [
"219440635577386967702728018467494114535",
"274713120834129023108041582438663570771",
"332555259173332961810998646747950140923",
"116274267578782298374217174753197197545",
"83214300295503441277927501406928722994",
"245551531657935898725553262143855049599",
"303812482602061557159547400622892344696",
"243015244187948900821873619343399406478",
"36155483903363266227726369675222470404",
"302677085514228203606156016271870625560",
"79729122850387585055962612807087702634",
"280436730576346234974564080073639337604",
"296284648725456880477082201465509265358",
"338572306453143723672042702560475775543",
"15337108793607785757019877705392563981",
"78418422176974080163608964182484926822",
"290008086871022100423469916381280328026",
"227412099732104436736556730522483151363",
"32384376755146565297952128543851637210",
"247367233454898545863512972355923508535",
"288935083785579605236106196027180320286",
"159159567493344269134286897692888767198"
]
},
"id": "CVE-2026-3189-d3a4ab97",
"deprecated": false,
"target": {
"file": "sz-service/sz-service-admin/src/main/java/com/sz/admin/system/service/impl/SysFileServiceImpl.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"threshold": 0.9,
"line_hashes": [
"247997219865391784818402276383106638516",
"82476260474160191190619696386489110591"
]
},
"id": "CVE-2026-3189-f2e197dc",
"deprecated": false,
"target": {
"file": "sz-common/sz-common-core/src/main/java/com/sz/core/util/Utils.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802",
"digest": {
"threshold": 0.9,
"line_hashes": [
"37567395144001211202463691524831225894",
"165548830934288695250151783318675438571",
"151277052329436100383129648884142921812",
"258731638997879764379183999121629997132"
]
},
"id": "CVE-2026-3189-f8c5b70a",
"deprecated": false,
"target": {
"file": "sz-common/sz-common-oss/src/main/java/com/sz/oss/OssProperties.java"
}
}
]