CVE-2026-4623

High

Published: 24 March 2026

Published

24 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0006 19.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4623 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SSRF by validating the manipulated 'url' argument in /api/System.php to ensure only safe inputs are processed.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation by applying the specified patch commits f76e7123fe093b8675f88ec8f71725b0dd186310 and 98bd4eb07fa19d4f2c5228de6395580013c97476.

SC-7 Boundary Protection partial match

preventdetect

Monitors and controls communications at boundaries to block or detect unauthorized outbound requests triggered by SSRF exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF in public-facing web app (CRM API) directly enables remote exploitation of exposed applications (T1190); commonly abused to probe/scan internal hosts and services via crafted URLs (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security vulnerability has been detected in DefaultFuction Jeson-Customer-Relationship-Management-System up to 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. This affects an unknown function of the file /api/System.php of the component API Module. The manipulation of the argument url leads to server-side request forgery. The attack can…

be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The identifier of the patch is f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476. It is suggested to install a patch to address this issue.

Deeper analysisAI

CVE-2026-4623 is a server-side request forgery (SSRF) vulnerability in the DefaultFuction Jeson-Customer-Relationship-Management-System, affecting versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The issue resides in an unknown function within the file /api/System.php of the API Module, where manipulation of the 'url' argument triggers the forgery. This open-source project uses continuous delivery with rolling releases, so no specific version numbers for affected or patched releases are available.

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to make unauthorized requests from the server to internal or external resources.

Mitigation involves applying the patch identified by commits f76e7123fe093b8675f88ec8f71725b0dd186310 and 98bd4eb07fa19d4f2c5228de6395580013c97476, available in the project's GitHub repository. Related discussions and the disclosure are documented in GitHub issues #2 and associated comments.

The exploit has been publicly disclosed and may be in use, corresponding to CWE-918.

Details

CWE(s): CWE-918

CVEs Like This One

CVE-2026-0686Shared CWE-918

CVE-2025-1849Shared CWE-918

CVE-2025-1848Shared CWE-918

CVE-2026-4528Shared CWE-918

CVE-2025-27777Shared CWE-918

CVE-2026-40242Shared CWE-918

CVE-2026-43526Shared CWE-918

CVE-2026-5418Shared CWE-918

CVE-2023-53899Shared CWE-918

CVE-2025-71259Shared CWE-918

References

https://github.com/DefaultFuction/Jeson-Customer-Relationship-Management-System/
cna@vuldb.com
https://github.com/DefaultFuction/Jeson-Customer-Relationship-Management-System/commit/f76e7123fe093b8675f88ec8f71725b0dd186310
cna@vuldb.com
https://github.com/DefaultFuction/Jeson-Customer-Relationship-Management-System/issues/2
cna@vuldb.com
https://github.com/DefaultFuction/Jeson-Customer-Relationship-Management-System/issues/2#issue-4045330588
cna@vuldb.com
https://github.com/DefaultFuction/Jeson-Customer-Relationship-Management-System/issues/2#issuecomment-4023480586
cna@vuldb.com
https://vuldb.com/?ctiid.352482
cna@vuldb.com
https://vuldb.com/?id.352482
cna@vuldb.com
https://vuldb.com/?submit.775760
cna@vuldb.com