{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4955", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T07:55:11.697Z", "datePublished": "2026-03-27T14:51:41.253Z", "dateUpdated": "2026-03-27T19:57:55.525Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-27T14:51:41.253Z"}, "title": "Shenzhen Ruiming Technology Streamax Crocus OperateStatistic.do sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Shenzhen Ruiming Technology", "product": "Streamax Crocus", "versions": [{"version": "1.3.44", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T09:00:21.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "0menc (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.353143", "name": "VDB-353143 | Shenzhen Ruiming Technology Streamax Crocus OperateStatistic.do sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353143", "name": "VDB-353143 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776083", "name": "Submit #776083 | Shenzhen Ruiming Technology Co., Ltd. Crocus System 1.3.44 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.778514", "name": "Submit #778514 | Shenzhen Ruiming Technology Co., Ltd. Streamax Crocus O&M Platform 1.3.44 SQL Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://my.feishu.cn/docx/C16HdO89zo9OCrxn5B2c8bTqnvb?from=from_copylink", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:51:35.635723Z", "id": "CVE-2026-4955", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:57:55.525Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4955", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:51:35.635723Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:51:38.831Z"}}], "cna": {"title": "Shenzhen Ruiming Technology Streamax Crocus OperateStatistic.do sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "0menc (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Shenzhen Ruiming Technology", "product": "Streamax Crocus", "versions": [{"status": "affected", "version": "1.3.44"}]}], "timeline": [{"lang": "en", "time": "2026-03-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-25T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-27T09:00:21.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.353143", "name": "VDB-353143 | Shenzhen Ruiming Technology Streamax Crocus OperateStatistic.do sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353143", "name": "VDB-353143 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776083", "name": "Submit #776083 | Shenzhen Ruiming Technology Co., Ltd. Crocus System 1.3.44 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.778514", "name": "Submit #778514 | Shenzhen Ruiming Technology Co., Ltd. Streamax Crocus O&M Platform 1.3.44 SQL Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://my.feishu.cn/docx/C16HdO89zo9OCrxn5B2c8bTqnvb?from=from_copylink", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-27T14:51:41.253Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4955", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:57:55.525Z", "dateReserved": "2026-03-27T07:55:11.697Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-27T14:51:41.253Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-4955", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-27T15:17:03.110", "references": [{"source": "cna@vuldb.com", "url": "https://my.feishu.cn/docx/C16HdO89zo9OCrxn5B2c8bTqnvb?from=from_copylink"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353143"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353143"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.776083"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.778514"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.44"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Streamax Crocus", "source": "cna", "vendor": "Shenzhen Ruiming Technology"}, "product": "streamax_crocus", "vendor": "shenzhen_ruiming_technology"}], "analysis": {"en": {"generated_at": "2026-03-27T16:21:00.759485+00:00", "value": {"mitigation_remediation": ["Upgrade Streamax Crocus to the latest version which fixes the OperateStatistic.do SQL injection vulnerability.", "If a fix is not available, restrict access to OperateStatistic.do, allowing only trusted IP addresses, or block the endpoint entirely.", "Implement a web application firewall that filters the VehicleID parameter for SQL injection patterns.", "Reduce database privileges for the application to the least privilege needed, preventing potential data exfiltration or command execution.", "Enable comprehensive logging of queries to detect injection attempts and investigate anomalies."], "summary": {"action": "Immediate Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Shenzhen Ruiming Technology Streamax Crocus version 1.3.44. No other versions or products are listed as vulnerable in the available data.", "description_and_impact": "Shenzhen Ruiming Technology Streamax Crocus 1.3.44 contains a flaw in the OperateStatistic.do servlet where the VehicleID parameter is concatenated directly into SQL statements. An attacker who can reach the web interface can supply a crafted VehicleID value to inject arbitrary SQL. This flaw is a textbook example of CWE-89 (SQL Injection) combined with improper encoding (CWE-74) and can lead to unauthorized data disclosure, modification, or even remote code execution if the database connection is granted excessive privileges. The vulnerability is exploitable over the network without authentication.", "risk_and_exploitability": "The CVSS score for this vulnerability is 6.9, which places it in the medium severity range. The EPSS score is not available, but the vulnerability is publicly disclosed and an exploit has been made available. The attack can be launched remotely by sending a specially crafted HTTP request to OperateStatistic.do. Because the flaw allows SQL injection, attackers could exfiltrate sensitive data or elevate privileges, potentially compromising the entire system. Although the vulnerability is not yet listed in the CISA KEV catalog, the presence of a public exploit and the remote nature of the attack vector mean that systems running this product should be treated as high risk until a patch is applied."}}}}, "created": "2026-03-27T20:28:22.550999+00:00", "updated": "2026-03-30T07:01:38.909357+00:00", "vendors": ["shenzhen_ruiming_technology", "shenzhen_ruiming_technology$PRODUCT$streamax_crocus"]}