Crmeb Crmeb

  1. Vendors
  2. Crmeb

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Crmeb product.

RSS Feeds for Crmeb security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Crmeb products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Crmeb Sorted by Most Security Vulnerabilities since 2018

Crmeb31 vulnerabilities

Crmeb Java8 vulnerabilities

By the Year

In 2026 there have been 7 vulnerabilities in Crmeb with an average score of 5.6 out of ten. Last year, in 2025 Crmeb had 6 security vulnerabilities published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.20




Year Vulnerabilities Average Score
2026 7 5.60
2025 6 5.80
2024 11 7.45
2023 10 8.25
2022 0 0.00
2021 3 7.63
2020 1 9.80

It may take a day or so for new Crmeb vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Crmeb Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-10771 Jun 03, 2026
CRMEb_Java 1.4 SSRF via RestTemplate.getForEntity in Base64 QR Endpoint A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Crmeb Java
CVE-2026-1734 Feb 01, 2026
Zhong Bang CRMEB 5.6.0-5.6.3 Crontab Endpoint Auth Bypass A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
CVE-2026-1733 Feb 01, 2026
Zhong Bang CRMEB 5.6.0-5.6.3 detail/tidyOrder auth Bypass A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
CVE-2026-1203 Jan 20, 2026
CRMEB <=5.6.3: Remote Auth Bypass via JSON Token Handler A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
CVE-2026-1202 Jan 20, 2026
CRMEB <=5.6.3 AppleLogin OpenID Auth Bypass A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
CVE-2025-15443 Jan 04, 2026
SQLi in CRMEB <=5.6.1 via /adminapi/product_export cate_id A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
CVE-2025-15442 Jan 04, 2026
PHP CRMEB <=5.6.1 SQLi via /adminapi/export/product_list cate_id A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
CVE-2025-11290 Oct 05, 2025
CVE-2025-11290: CRMEB <=5.6.1 JWT HMAC Secret Key Bypass A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
CVE-2025-11288 Oct 05, 2025
CRMEB <=5.6 Remote SQLi via GET param cate_id in GET Parameter Handler A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing of the file /adminapi/product/product of the component GET Parameter Handler. Performing a manipulation of the argument cate_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
CVE-2025-10391 Sep 14, 2025
SSRF via testOutUrl in CRMEB <=5.6.1 (push_token_url) A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the function testOutUrl of the file app/services/out/OutAccountServices.php. The manipulation of the argument push_token_url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Crmeb
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.