DefaultFuction CRM System Exposes Users to Remote Attack

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

DefaultFuction CRM System Exposes Users to Remote Attack

CVE-2026-4623

Summary

A security issue in the DefaultFuction Customer Relationship Management System could allow hackers to trick the system into making unauthorized requests on the server. This could be done remotely, without the need for direct access to the system. To protect your data, install any available patches as soon as possible.

Original title

Original description

A security vulnerability has been detected in DefaultFuction Jeson-Customer-Relationship-Management-System up to 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. This affects an unknown function of the file /api/System.php of the component API Module. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The identifier of the patch is f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476. It is suggested to install a patch to address this issue.

nvd CVSS2.0 7.5

nvd CVSS3.1 7.3

nvd CVSS4.0 6.9

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

Published: 24 Mar 2026 · Updated: 24 Mar 2026 · First seen: 24 Mar 2026