CVE-2026-5538 MEDIUM

CVE-2026-5538: QingdaoU OnlineJudge judge_server_heartbeat Endpoint JudgeServer.service_url server-side request forgery

Vendor Qingdaou
Product OnlineJudge
Weakness CWE-918 · SSRF
Published April 5, 2026
Last update April 6, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

What the vulnerability does

01Description

A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by this issue is the function service_url of the file JudgeServer.service_url of the component judge_server_heartbeat Endpoint. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

April 5, 2026 CVE published
April 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-33399 Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840 CVE-2026-2455 SSRF bypass via IPv4-mapped IPv6 literals CVE-2024-27949 WordPress Sirv plugin <= 7.2.0 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-28963 WordPress URL Shortener plugin <= 3.0.7 - Server Side Request Forgery (SSRF) Vulnerability CVE-2026-43879 WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass