CVE-2026-16222
Received Received - Intake

Server-Side Request Forgery in 1Panel-dev CordysCRM

Vulnerability report for CVE-2026-16222, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability was found in 1Panel-dev CordysCRM up to 1.4.1. This issue affects some unknown processing of the file backend/crm/src/main/java/cn/cordys/crm/integration/sso/service/TokenService.java of the component Third Party Endpoint. Performing a manipulation of the argument mkAddress results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The project closed the issue report, stating that this is not the official way to report a security vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
1panel-dev cordyscrm to 1.4.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a Server-Side Request Forgery (SSRF) vulnerability in CordysCRM version 1.4.1. It occurs because the mkAddress parameter is not properly validated or sanitized when processing requests. Attackers can manipulate this parameter to force the server to make HTTP requests to arbitrary internal or external addresses without restrictions.

Detection Guidance

To detect this SSRF vulnerability, monitor network traffic for unusual outbound requests from the CordysCRM server, particularly to internal or unexpected external addresses. Check logs for requests containing the mkAddress parameter with suspicious values like internal IP ranges or unexpected domains. Use tools like tcpdump or Wireshark to capture traffic from the server hosting CordysCRM.

Impact Analysis

Exploitation allows attackers to probe internal network services, access restricted resources, or perform data leakage. They can also target other internal services with weaker authentication or use the server to make requests to external systems, potentially bypassing security controls.

Compliance Impact

SSRF vulnerabilities can lead to unauthorized data access or exfiltration, violating GDPR's data protection principles and HIPAA's security requirements for safeguarding sensitive health information. Non-compliance may result in legal penalties or reputational damage.

Mitigation Strategies

Immediately upgrade CordysCRM to a patched version if available. If not, implement network-level controls to block outbound requests to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.x.x, 127.x.x.x). Restrict the mkAddress parameter to whitelisted domains and enforce HTTP/HTTPS protocols only. Disable or restrict access to the vulnerable endpoints until a fix is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart