CVE-2026-4910: SQL Injection in Shenzhen Ruiming Technology Streamax Crocus
CVE-2026-4910 is a medium severity SQL injection vulnerability in Shenzhen Ruiming Technology Streamax Crocus versions up to 1. 3. 44. The vulnerability exists in an unknown function within the /RemoteFormat. do file of the Endpoint component, where manipulation of the 'State' argument allows remote attackers to perform SQL injection. The vulnerability has been publicly disclosed, but the vendor has not responded or provided a patch. No known exploits are reported in the wild at this time.
AI Analysis
Technical Summary
This vulnerability involves SQL injection in the Streamax Crocus product by Shenzhen Ruiming Technology, affecting all versions up to 1.3.44. The injection point is in the /RemoteFormat.do file's Endpoint component, specifically via the 'State' parameter. The flaw allows remote unauthenticated attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification. The CVSS 4.0 base score is 6.9, indicating medium severity. The vendor has not issued any patch or advisory, and no official remediation is currently available.
Potential Impact
Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data disclosure, alteration, or deletion. However, the CVSS vector indicates low to limited impact on confidentiality, integrity, and availability, and no known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or provided a fix, organizations should consider implementing compensating controls such as input validation, web application firewalls (WAFs) to detect and block SQL injection attempts, and restricting access to the vulnerable endpoint where possible until an official patch is released.
CVE-2026-4910: SQL Injection in Shenzhen Ruiming Technology Streamax Crocus
Description
CVE-2026-4910 is a medium severity SQL injection vulnerability in Shenzhen Ruiming Technology Streamax Crocus versions up to 1. 3. 44. The vulnerability exists in an unknown function within the /RemoteFormat. do file of the Endpoint component, where manipulation of the 'State' argument allows remote attackers to perform SQL injection. The vulnerability has been publicly disclosed, but the vendor has not responded or provided a patch. No known exploits are reported in the wild at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves SQL injection in the Streamax Crocus product by Shenzhen Ruiming Technology, affecting all versions up to 1.3.44. The injection point is in the /RemoteFormat.do file's Endpoint component, specifically via the 'State' parameter. The flaw allows remote unauthenticated attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification. The CVSS 4.0 base score is 6.9, indicating medium severity. The vendor has not issued any patch or advisory, and no official remediation is currently available.
Potential Impact
Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data disclosure, alteration, or deletion. However, the CVSS vector indicates low to limited impact on confidentiality, integrity, and availability, and no known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or provided a fix, organizations should consider implementing compensating controls such as input validation, web application firewalls (WAFs) to detect and block SQL injection attempts, and restricting access to the vulnerable endpoint where possible until an official patch is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-03-26T16:10:45.133Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c66dbb3c064ed76fa122ef
Added to database: 3/27/2026, 11:44:59 AM
Last enriched: 4/3/2026, 1:28:23 PM
Last updated: 5/8/2026, 9:34:13 AM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.