Feiyuchuixue sz-boot-parent download feature can be tricked by attackers

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.3

Feiyuchuixue sz-boot-parent download feature can be tricked by attackers

CVE-2026-3189

Summary

A security weakness in Feiyuchuixue sz-boot-parent's download feature allows hackers to potentially trick the server into doing something it shouldn't. This can be fixed by upgrading to version 1.3.3-beta or later. The developers have already fixed this issue by adding a safety check to only allow downloads over HTTP or HTTPS.

Original title

Original description

A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to version 1.3.3-beta is able to resolve this issue. This patch is called aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is advised. The project was informed beforehand and acted very professional: "We have added a URL protocol whitelist validation to the file download interface, allowing only http and https protocols."

nvd CVSS2.0 2.1

nvd CVSS3.1 3.1

nvd CVSS4.0 2.3

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026