CVE-2026-3189 | feiyuchuixue sz-boot-parent up to 1.3.2-beta download url server-side request forgery

A vulnerability classified as critical was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery.

This vulnerability is handled as CVE-2026-3189. The attack can be executed remotely. There is not any exploit available.

Upgrading the affected component is advised.

The project was informed beforehand and acted very professional: “We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols.”

CVE-2026-3189 | feiyuchuixue sz-boot-parent up to 1.3.2-beta download url server-side request forgery

Post correlati

CVE-2024-22532 | Steinbeis Allegra serveMathJaxLibraries path traversal

CVE-2025-12930 | SourceCodester Food Ordering System 1.0 /view-ticket.php ID sql injection

CVE-2022-48899 | Linux Kernel up to 4.19.269/5.4.228/5.10.163/5.15.88/6.1.6 virtio use after free

CVE-2026-1963 | WeKan up to 8.20 Attachment Storage models/attachments.js MoveStorageBleed access control