MEDIUM 4.7

CVE-2026-11469: jshERP Server-Side Request Forgery via Platform Configuration

A vulnerability exists in jishenghua jshERP versions up to 3.6 that allows an authenticated administrator to perform server-side request forgery (SSRF) attacks by manipulating configuration parameters. An attacker with high-level privileges can craft malicious input to the platformConfig add endpoint, causing the server to make unintended requests to internal or external systems. This vulnerability requires authentication and administrative access to exploit, limiting immediate risk but potentially enabling lateral movement or data exfiltration once an admin account is compromised.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A flaw has been found in jishenghua jshERP up to 3.6. Impacted is the function insertPlatformConfig of the file jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java of the component platformConfig Add Endpoint. Executing a manipulation of the argument platformValue can lead to server-side request forgery. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the insertPlatformConfig function within the PlatformConfigService.java component of jshERP-boot. The platformValue argument is not properly validated or sanitized before being used in server-side requests. This classic SSRF flaw (CWE-918) allows manipulation of the parameter to redirect HTTP requests initiated by the application server to attacker-controlled destinations. The attack surface is the platformConfig Add Endpoint, accessible only to authenticated users with administrative privileges. Exploitation does not require user interaction.

Business impact

Organizations deploying jshERP face potential data breach and lateral network movement if administrative credentials are compromised. An attacker gaining admin access could leverage this SSRF to scan internal network infrastructure, access internal services (databases, caches, APIs), or trigger actions on behalf of the server. This could lead to unauthorized access to sensitive business data, disruption of internal systems, or use of the server as a proxy for further attacks. The vulnerability is particularly concerning in supply chain scenarios where jshERP is integrated with multiple backend systems.

Affected systems

jishenghua jshERP versions up to and including 3.6 are affected. The vulnerability impacts the platformConfig management functionality in the jshERP-boot application. No patched version has been officially released by the vendor as of the modification date. Organizations should verify their jshERP deployment version against upstream advisories.

Exploitability

The vulnerability is exploitable remotely but requires high-privilege (administrator) authentication to the jshERP application. The attack has low complexity once a valid admin session exists. A published exploit is available, reducing the technical barrier for attackers with valid credentials. The requirement for administrative access significantly limits the exploitability window compared to pre-authentication flaws, but the availability of public exploit code means defenders should assume rapid weaponization if admin accounts are breached.

Remediation

Upgrade jshERP to a patched version when released by the vendor. Monitor vendor advisories and security communications closely, as the project has been notified but has not yet published a fix. Until a patch is available, implement strict access controls limiting administrative access to trusted personnel only, enforce multi-factor authentication for admin accounts, and segment jshERP from critical internal systems using network policies. Consider disabling the platformConfig Add Endpoint if not required for operations.

Patch guidance

Verify the latest available version of jshERP against the vendor's official release notes and security advisories at the jishenghua project repository. As no patched version number is currently documented in vulnerability databases, contact the vendor directly or monitor their GitHub releases for a fix addressing CWE-918 in the PlatformConfigService component. Apply patches to non-production environments first and validate that platformConfig functionality operates as expected before production deployment.

Detection guidance

Monitor HTTP logs and application request logs for suspicious POST requests to the platformConfig Add Endpoint originating from unusual internal or external IP addresses. Watch for platformValue parameters containing URLs, IP addresses, or hostnames pointing to internal services (127.0.0.1, private ranges, or internal domain names). Implement WAF rules to block platformValue payloads containing scheme indicators (http://, https://, ftp://, etc.). Enable and audit access logs for the PlatformConfigService component to identify unauthorized or anomalous admin activity. Consider network-level SSRF detection by monitoring outbound connections initiated by the jshERP process to unexpected destinations.

Why prioritize this

Despite a CVSS 4.7 MEDIUM score, this vulnerability warrants immediate attention due to SSRF capability, published exploit availability, and vendor non-response. While authentication is required, a compromised admin account immediately exposes internal infrastructure. Organizations should deprioritize only if jshERP is air-gapped, has zero external admin access, or is not integrated with sensitive backend systems. Patch when available and strengthen access controls immediately.

Risk score, explained

The CVSS 3.1 score of 4.7 reflects the authentication requirement (PR:H) which substantially lowers severity despite remote network accessibility (AV:N). The impact is partial—confidentiality, integrity, and availability are each limited to low impact (C:L/I:L/A:L). The vector indicates no user interaction required and no scope escalation. However, the real-world risk is elevated by the existence of a public exploit and the vendor's lack of response, making this a higher operational priority than the base score alone suggests.

Frequently asked questions

Do we need to patch immediately if we don't expose jshERP to untrusted users?

Not immediately, but urgently. The constraint is administrative access, not public access. If your jshERP instance is only accessible to internal trusted admins over a private network and those credentials have not been compromised, risk is lower. However, you should still patch when available and implement multi-factor authentication on all admin accounts as a precaution. Assume credentials may be harvested through phishing or lateral compromise.

What is server-side request forgery and why is it dangerous in jshERP?

SSRF allows the server itself to make HTTP requests to destinations controlled by an attacker. In jshERP, an admin attacker can force the server to scan your internal network, access internal databases, read internal APIs, or interact with cloud metadata services. This is especially dangerous if jshERP has backend integrations or sits in a DMZ with access to internal systems that external users cannot reach directly.

Is there a workaround if we cannot patch immediately?

Yes. Disable or restrict access to the platformConfig Add Endpoint if not required for operations. Use network policies to prevent the jshERP server from initiating outbound connections to internal services (e.g., database servers, caches). Enforce strong multi-factor authentication on all admin accounts. Audit admin activity logs closely. Monitor for SSRF signatures in outbound traffic. These controls reduce exploitability but do not eliminate the vulnerability—patching is the definitive solution.

Why hasn't the vendor released a patch yet?

The vendor was notified early via issue report but has not acknowledged or responded as of the modification date. This could indicate delayed response times, prioritization of other work, or development challenges. Contact the vendor directly for an estimated patch timeline and consider using alternative products or vendors if response times are consistently slow for critical security issues.

This analysis is provided for informational purposes and reflects publicly available information as of the modification date (2026-06-17). CVSS scores and vulnerability classifications are based on vendor-supplied data and may be updated as new information emerges. No exploit code, weaponized proof-of-concept, or detailed attack steps are provided herein. Organizations should verify patch availability and version numbers against official vendor advisories before implementing any remediation. SEC.co does not warrant the accuracy, completeness, or timeliness of vulnerability data and recommends consulting vendor security bulletins and security.jshERP.com for authoritative guidance. All remediation guidance should be validated in a controlled test environment prior to production deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).