Crmeb Java
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Crmeb Java.
By the Year
In 2026 there have been 1 vulnerability in Crmeb Java with an average score of 7.3 out of ten. Crmeb Java did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.30 |
| 2025 | 0 | 0.00 |
| 2024 | 4 | 0.00 |
| 2023 | 3 | 7.47 |
It may take a day or so for new Crmeb Java vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Crmeb Java Security Vulnerabilities
CRMEb_Java 1.4 SSRF via RestTemplate.getForEntity in Base64 QR Endpoint
CVE-2026-10771
7.3 - High
- June 03, 2026
A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
SSRF
crmeb_java v1.3.4 SSRF in ImageMergeController's mergeList
CVE-2024-33117
- May 06, 2024
crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the mergeList method in class com.zbkj.front.pub.ImageMergeController.
SQL Injection in CRMEB_Java 1.3.4 via groupid param
CVE-2024-28714
- March 28, 2024
SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter.
SQLi in crmeb_java <1.3.4 via /api/front/spread/people GET request
CVE-2024-24110
- March 21, 2024
SQL Injection vulnerability in crmeb_java before v1.3.4 allows attackers to run arbitrary SQL commands via crafted GET request to the component /api/front/spread/people.
SQLi in CRMEB crmeb_java <=1.3.4 API front/store/list
CVE-2024-25469
- February 23, 2024
SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list component.
Zhong Bang CRMEB Java <1.3.4: SQL Injection in getAdminList (cateId)
CVE-2023-1608
9.8 - Critical
- March 23, 2023
A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been declared as critical. This vulnerability affects the function getAdminList of the file /api/admin/store/product/list. The manipulation of the argument cateId leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-223738 is the identifier assigned to this vulnerability.
SQL Injection
Zhong Bang CRMEB Java <=1.3.4 XSS in /api/admin/store/product/save
CVE-2023-1609
5.4 - Medium
- March 23, 2023
A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been rated as problematic. This issue affects the function save of the file /api/admin/store/product/save. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223739.
XSS
CRMEB <=1.3.4 SQLI via /api/admin/user/list
CVE-2023-25223
7.2 - High
- March 07, 2023
CRMEB <=1.3.4 is vulnerable to SQL Injection via /api/admin/user/list.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Crmeb Java or by Crmeb? Click the Watch button to subscribe.
