CVE-2026-3189 identifies a server-side request forgery (SSRF) vulnerability in the feiyuchuixue sz-boot-parent software, specifically affecting versions up to 1.3.2-beta. The vulnerability exists in the /api/admin/common/files/download endpoint, where the 'url' parameter is insufficiently validated, allowing an attacker to craft requests that cause the server to make unintended HTTP or HTTPS requests to arbitrary locations. SSRF vulnerabilities can be leveraged to access internal systems, bypass firewalls, or perform reconnaissance on internal networks. However, in this case, the exploitability is rated as difficult due to the complexity of crafting a successful attack and the requirement for low-level privileges (PR:L). The vendor responded professionally by releasing version 1.3.3-beta, which introduces a URL protocol whitelist that restricts allowed protocols to http and https, effectively mitigating the vulnerability. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:N, VA:N). No known exploits have been reported in the wild, and the vulnerability was responsibly disclosed and patched promptly.

The primary impact of this SSRF vulnerability is the potential for attackers to make unauthorized requests from the vulnerable server to internal or external systems. This can lead to information disclosure about internal network infrastructure or access to otherwise inaccessible resources. However, the impact is limited by the high complexity of exploitation and the vendor's mitigation measures. Since the vulnerability requires low privileges and no user interaction, it could be leveraged by authenticated users with limited access, potentially elevating their ability to perform reconnaissance or pivot attacks. The low CVSS score reflects the limited confidentiality, integrity, and availability impacts. Organizations running affected versions may face risks of internal network exposure or indirect attacks on internal services if the vulnerability is exploited. However, no direct code execution or data modification is indicated, limiting the severity of the threat.

Organizations should upgrade feiyuchuixue sz-boot-parent to version 1.3.3-beta or later, which includes a patch enforcing a strict URL protocol whitelist allowing only http and https protocols. Until the upgrade can be applied, administrators should implement network-level controls to restrict outbound HTTP/HTTPS requests from the application server to only trusted destinations. Additionally, review and restrict access to the /api/admin/common/files/download endpoint to trusted and authenticated users only. Employ application-layer firewalls or web application firewalls (WAFs) to detect and block suspicious SSRF patterns targeting the vulnerable parameter. Conduct thorough logging and monitoring of outbound requests from the server to detect anomalous behavior indicative of SSRF exploitation attempts. Finally, perform regular security assessments and code reviews to identify and remediate similar input validation weaknesses.