CVE-2026-4200
Awaiting Analysis Awaiting Analysis - Queue
Server-Side Request Forgery in glowxq-oj ProblemCaseController

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This affects the function uploadTestcaseZipUrl of the file business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-19
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-18
NVD
CVE-2026-4200
EUVD
EUVD-2026-12271
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
glowxq glowxq_oj to 6f7c723090472057252040fd2bbbdaa1b5ed2393 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4200 is a server-side request forgery (SSRF) vulnerability found in the glowxq glowxq-oj project. It specifically affects the function uploadTestcaseZipUrl in the ProblemCaseController.java file. The vulnerability occurs because the server accepts a user-controlled URL parameter and uses it directly to download content without proper validation. This allows an attacker to manipulate the URL parameter to make the server perform unauthorized requests to internal or external resources.

The vulnerability can be exploited remotely without any authentication, making it easy for attackers to initiate the attack. The exploit has been publicly released.

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated remote attacker to make the server perform arbitrary requests to internal or external systems. This can lead to unauthorized access to sensitive information, compromise of system integrity, and potential disruption of availability.

Because the server can be tricked into sending requests to unintended locations, attackers might access internal network resources that are otherwise protected, potentially leading to further exploitation or data leakage.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a server-side request forgery (SSRF) in the uploadTestcaseZipUrl function of glowxq glowxq-oj, which allows an attacker to manipulate a URL parameter to make the server perform unauthorized requests.'}, {'type': 'paragraph', 'content': 'Detection on your network or system would involve monitoring for unusual outbound HTTP requests initiated by the server, especially those triggered by the testcase upload functionality.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves a URL parameter being passed to HttpUtils.download(), you can look for suspicious or unexpected requests to internal or external resources originating from the server.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP requests from the server and analyze for unexpected destinations.'}, {'type': 'list_item', 'content': 'Check server logs for requests to the uploadTestcaseZipUrl endpoint with unusual or external URL parameters.'}, {'type': 'list_item', 'content': "Example command to monitor outbound HTTP requests on Linux: sudo tcpdump -i eth0 'tcp port 80 or tcp port 443'"}, {'type': 'list_item', 'content': "Example command to search server logs for suspicious URL parameters: grep -i 'uploadTestcaseZipUrl' /path/to/server/logs/* | grep 'http'"}] [1, 2]

Mitigation Strategies

There are no known patches or countermeasures available for this vulnerability as the vendor has not responded or provided updates.

Immediate mitigation steps include:

  • Disable or restrict access to the uploadTestcaseZipUrl endpoint to prevent exploitation.
  • Implement network-level controls such as firewall rules to restrict outbound HTTP requests from the server to only trusted destinations.
  • Monitor and log all requests to the vulnerable endpoint and outbound requests triggered by it.
  • Consider replacing the vulnerable product with an alternative that does not have this SSRF issue.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart