Cyber Resilience

CVE-2026-4623

Medium

Published: 24 March 2026

Published
24 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 20.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4623 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4623 is a server-side request forgery (SSRF) vulnerability in the DefaultFuction Jeson-Customer-Relationship-Management-System, affecting versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The issue resides in an unknown function within the file /api/System.php of the API Module, where manipulation of the 'url' argument triggers the forgery. This open-source project uses continuous delivery with rolling releases, so no specific version numbers for affected or patched releases are available.

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to make unauthorized requests from the server to internal or external resources.

Mitigation involves applying the patch identified by commits f76e7123fe093b8675f88ec8f71725b0dd186310 and 98bd4eb07fa19d4f2c5228de6395580013c97476, available in the project's GitHub repository. Related discussions and the disclosure are documented in GitHub issues #2 and associated comments.

The exploit has been publicly disclosed and may be in use, corresponding to CWE-918.

EU & UK References

Vulnerability details

A security vulnerability has been detected in DefaultFuction Jeson-Customer-Relationship-Management-System up to 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. This affects an unknown function of the file /api/System.php of the component API Module. The manipulation of the argument url leads to server-side request forgery. The attack can…

more

be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The identifier of the patch is f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476. It is suggested to install a patch to address this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing web app (CRM API) directly enables remote exploitation of exposed applications (T1190); commonly abused to probe/scan internal hosts and services via crafted URLs (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7065Shared CWE-918
CVE-2025-55150Shared CWE-918
CVE-2025-28091Shared CWE-918
CVE-2025-1849Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSRF by validating the manipulated 'url' argument in /api/System.php to ensure only safe inputs are processed.

prevent

Requires timely flaw remediation by applying the specified patch commits f76e7123fe093b8675f88ec8f71725b0dd186310 and 98bd4eb07fa19d4f2c5228de6395580013c97476.

preventdetect

Monitors and controls communications at boundaries to block or detect unauthorized outbound requests triggered by SSRF exploitation.

References