CVE-2026-1062 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2026-1062?

CVE-2026-1062 has a CVSS score of 6.3 (MEDIUM). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in xiweicheng TMS up to version 2.28.0. Attackers can manipulate URL parameters to make the server perform unauthorized requests to internal systems. Organizations using affected versions of this TMS software are vulnerable to exploitation.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in xiweicheng TMS up to version 2.28.0. Attackers can manipulate URL parameters to make the server perform unauthorized requests to internal systems. Organizations using affected versions of this TMS software are vulnerable to exploitation.

💻 Affected Systems

Products:

xiweicheng TMS

Versions: Up to and including 2.28.0

Operating Systems: Any OS running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the HtmlUtil.java component specifically in the Summary function. Any deployment using vulnerable versions is affected.

📦 What is this software?

Teamwork Management System by Xiweicheng

View all CVEs affecting Teamwork Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to other internal systems through the vulnerable server.

🟠

Likely Case

Information disclosure from internal services, potential credential theft from metadata services, or scanning of internal networks.

🟢

If Mitigated

Limited impact with proper network segmentation and egress filtering, though some information disclosure may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub repositories. Remote exploitation is possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check for vendor updates or patches for xiweicheng TMS. 2. Upgrade to a version above 2.28.0 if available. 3. Restart the application after patching.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation of URL parameters in the HtmlUtil.java Summary function

Modify src/main/java/com/lhjz/portal/util/HtmlUtil.java to validate URL parameters

Network Egress Filtering

linux

Restrict outbound connections from the TMS server to only necessary destinations

iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block SSRF patterns
Isolate the TMS server in a restricted network segment with limited egress

🔍 How to Verify

Check if Vulnerable:

Check the version of xiweicheng TMS deployed. If version is 2.28.0 or lower, the system is vulnerable.

Check Version:

Check application configuration files or deployment manifests for version information

Verify Fix Applied:

Test the Summary function with SSRF payloads to confirm they are blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from the TMS server
Requests to internal IP addresses or metadata services

Network Indicators:

HTTP requests from TMS server to unexpected internal destinations
Patterns of requests to cloud metadata endpoints

SIEM Query:

source_ip=TMS_SERVER AND (dest_ip=169.254.169.254 OR dest_ip=metadata.google.internal OR dest_ip IN [INTERNAL_RANGES])

📊 Metadata

CVE ID: CVE-2026-1062

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-918

EPSS Score: 0.05% exploit probability (14.6th percentile)

Published: January 17, 2026

Last Updated: March 8, 2026

🔗 References

https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%881%EF%BC%89.md Exploit,Third Party Advisory
https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%882%EF%BC%89.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.341630 Permissions Required,VDB Entry
https://vuldb.com/?id.341630 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.731241 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.731242 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1062, you might also want to check these: