CVE-2026-4200
Published: 16 March 2026
Summary
CVE-2026-4200 is a high-severity SSRF (CWE-918) vulnerability in Feishu (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SSRF by validating user-supplied inputs to the uploadTestcaseZipUrl function to prevent forging requests to arbitrary internal or external destinations.
Enforces boundary protection to monitor and control outbound communications, blocking unauthorized server-initiated requests resulting from SSRF exploitation.
Enforces information flow control policies that restrict server requests to approved destinations, limiting the scope of SSRF impacts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app (uploadTestcaseZipUrl) directly enables initial access via T1190 Exploit Public-Facing Application; arbitrary server requests to internal destinations facilitate network/service discovery via T1046 Network Service Discovery and T1018 Remote System Discovery.
NVD Description
A security flaw has been discovered in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This affects the function uploadTestcaseZipUrl of the file business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released…
more
to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4200 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the glowxq-oj component up to commit 6f7c723090472057252040fd2bbbdaa1b5ed2393. The flaw resides in the uploadTestcaseZipUrl function within the file business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java. This Java-based online judge (OJ) software uses continuous delivery with rolling releases, so no specific version numbers for affected or patched releases are available.
Remote attackers can exploit this vulnerability with no privileges required, low attack complexity, and no user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). By manipulating the affected function, attackers can forge requests from the server to arbitrary destinations, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as unauthorized internal network access or resource exhaustion.
Advisories from VulDB note that an exploit has been publicly released and may be used in attacks, with the vendor contacted early but providing no response. References include detailed entries on VulDB (ctiid.351112, id.351112, submit.770476) and a Feishu document, but no patches or mitigations are specified due to the rolling release model.
The public availability of the exploit increases the risk of active exploitation against unpatched glowxq-oj deployments.
Details
- CWE(s)