CVE-2026-4955
Published: 27 March 2026
Summary
CVE-2026-4955 is a medium-severity Injection (CWE-74) vulnerability in Feishu (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-4955 is a SQL injection vulnerability (CWE-74, CWE-89) in Shenzhen Ruiming Technology's Streamax Crocus version 1.3.44. The issue affects an unknown function within the /OperateStatistic.do file, where manipulation of the VehicleID argument triggers the injection.
The vulnerability enables remote exploitation with no privileges required, low attack complexity, and no user interaction needed, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve limited impacts on confidentiality, integrity, and availability. An exploit has been made public and could be used.
Advisories from VulDB indicate the vendor was contacted early about the disclosure but provided no response, with no patches or mitigations detailed. Relevant references include https://vuldb.com/?ctiid.353143, https://vuldb.com/?id.353143, https://vuldb.com/?submit.776083, https://vuldb.com/?submit.778514, and https://my.feishu.cn/docx/C16HdO89zo9OCrxn5B2c8bTqnvb?from=from_copylink.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16654
Vulnerability details
A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been…
more
made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote SQL injection in public-facing web app (/OperateStatistic.do) directly enables T1190 Exploit Public-Facing Application with no auth or interaction required.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating the VehicleID parameter to ensure it contains only expected, safe input before processing in database queries.
Ensures timely identification, reporting, and correction of flaws like this SQL injection vulnerability through patching or code fixes.
Vulnerability scanning tools detect SQL injection flaws in endpoints like /OperateStatistic.do, enabling proactive remediation.