CVE-2026-4200 is a server-side request forgery vulnerability found in the glowxq-oj software, an online judge system developed by glowxq. The vulnerability exists in the uploadTestcaseZipUrl function within the ProblemCaseController.java source file. This function improperly handles user-supplied URLs when uploading test case ZIP files, allowing an attacker to craft malicious requests that cause the server to initiate HTTP requests to arbitrary destinations. SSRF vulnerabilities can be exploited to access internal services, bypass firewalls, or exfiltrate sensitive data. The flaw is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. The vendor employs continuous delivery with rolling releases, complicating version tracking and patch management. Despite early notification, the vendor has not issued a response or patch, and public exploit code is available, which may facilitate attacks. No confirmed active exploitation has been reported yet, but the presence of public exploits elevates the threat level.

The SSRF vulnerability in glowxq-oj can have significant impacts on organizations using this software. Attackers can leverage the flaw to make the server send crafted requests to internal or external systems, potentially accessing sensitive internal resources that are not directly exposed to the internet. This can lead to unauthorized information disclosure, such as internal metadata services or private APIs. Additionally, SSRF can be used as a pivot point to conduct further attacks within the internal network, including scanning, lateral movement, or exploitation of other vulnerabilities. The lack of authentication and user interaction requirements means attackers can exploit the vulnerability remotely and anonymously. Although the CVSS score is medium, the real-world impact depends on the internal network architecture and the sensitivity of accessible resources. Organizations relying on glowxq-oj for critical online judge or educational services may face service disruption, data leakage, or reputational damage if exploited.

To mitigate CVE-2026-4200, organizations should implement strict input validation and sanitization on the uploadTestcaseZipUrl function to ensure that only trusted URLs or local resources are accepted. Employ allowlisting of domains or IP addresses to restrict outbound requests initiated by the server. Network-level controls such as egress filtering and firewall rules should be enforced to prevent the server from making unauthorized requests to internal or sensitive endpoints. Deploy web application firewalls (WAFs) with rules to detect and block SSRF attack patterns targeting this endpoint. Monitor logs for unusual outbound requests originating from the glowxq-oj server. Since the vendor has not provided patches, organizations should consider isolating the glowxq-oj service in a segmented network zone with minimal privileges and no access to sensitive internal systems. Regularly review and update dependencies and monitor for vendor updates or community patches. If possible, disable or restrict the uploadTestcaseZipUrl functionality until a secure fix is available.