CVE-2026-8320
Server-Side Request Forgery in jshERP
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jishenghua | jsherp | to 3.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-8320 vulnerability allows an authenticated admin user to manipulate the WeChat integration URL, leading to server-side request forgery (SSRF). This can expose internal network resources, cloud metadata, and sensitive credentials such as WeChat API keys.
Such exposure of sensitive data and internal resources can lead to unauthorized access and data breaches, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Specifically, the risk of credential exfiltration and internal network scanning increases the likelihood of compromising confidential data, potentially resulting in non-compliance with standards mandating strict access controls, data confidentiality, and breach notification.
Mitigation recommendations such as implementing whitelists, validating URLs, audit logging, re-authentication, network segmentation, and monitoring outbound requests are important to reduce compliance risks.
Can you explain this vulnerability to me?
CVE-2026-8320 is a Server-Side Request Forgery (SSRF) vulnerability in the jshERP application up to version 3.6. It affects the function getUserByWeixinCode via the updatePlatformConfigByKey endpoint, where an authenticated admin user can manipulate the weixinUrl parameter to an arbitrary URL.
This manipulation causes the application to make requests to attacker-controlled or internal URLs when WeChat login is triggered, potentially exposing internal network resources, cloud metadata, and WeChat API credentials.
The vulnerability arises because the application does not properly validate which configuration keys can be modified, trusts database-stored URLs without re-validation, and transmits sensitive credentials in URL query parameters.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with admin access to perform unauthorized internal network scanning and access sensitive internal services.
It can lead to exposure and theft of cloud metadata (such as AWS instance metadata), WeChat API credentials, and other internal service information.
Attackers can also exfiltrate sensitive data by redirecting requests to attacker-controlled domains, potentially compromising the security of the entire deployment.
This risk is especially significant in cloud environments (AWS, GCP, Azure) and setups where internal services are accessible from the application server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or unauthorized modifications to the weixinUrl parameter via the /platformConfig/updatePlatformConfigByKey endpoint, especially by admin users. Detection can also involve auditing outbound HTTP requests from the application server to unexpected or internal IP addresses, such as cloud metadata endpoints (e.g., AWS 169.254.169.254) or attacker-controlled domains.
Suggested commands include inspecting web server or application logs for POST requests to /platformConfig/updatePlatformConfigByKey with changes to the weixinUrl parameter. For example, using grep on logs:
- grep "/platformConfig/updatePlatformConfigByKey" /var/log/app_access.log | grep "weixinUrl"
Additionally, monitoring outbound HTTP requests from the server can be done with tools like tcpdump or curl to detect suspicious connections:
- tcpdump -i eth0 host 169.254.169.254
- netstat -anp | grep ESTABLISHED
Reviewing application database entries for unexpected or unauthorized weixinUrl values can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing a whitelist for allowed configuration keys to prevent unauthorized modification of sensitive keys like weixinUrl.
Validate the weixinUrl parameter against a strict WeChat domain pattern to ensure only legitimate URLs are accepted.
Move sensitive URLs and credentials from the database to environment variables or secure configuration files to avoid trusting user-modifiable data.
Additional recommended measures include enabling audit logging for configuration changes, requiring re-authentication for sensitive modifications, implementing network segmentation to restrict access to internal services, and monitoring outbound HTTP requests for suspicious activity.