Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
QingdaoU OnlineJudge Version 1.6.1 Allows Remote Server Forgery
CVE-2026-5538
Summary
If you're using QingdaoU OnlineJudge version 1.6.1, an attacker could potentially trick the system into making unauthorized requests to other servers. This could be a security risk if your users' sensitive data is accessed or manipulated. We recommend updating to a newer version of QingdaoU OnlineJudge to fix this issue.
Original title
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by this issue is the function service_url of the file JudgeServer.service_url of the component judge_server_heartbeat Endp...
Original description
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by this issue is the function service_url of the file JudgeServer.service_url of the component judge_server_heartbeat Endpoint. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 5 Apr 2026 · Updated: 5 Apr 2026 · First seen: 5 Apr 2026