Platform
other
Component
qingdaou-onlinejudge
Fixed in
1.6.1
1.6.2
A server-side request forgery (SSRF) vulnerability has been identified in QingdaoU OnlineJudge versions 1.6.0 through 1.6.1. This flaw resides within the JudgeServer.service_url endpoint, allowing attackers to potentially manipulate server-side requests. Successful exploitation could lead to unauthorized access or data exposure. The vulnerability was publicly disclosed on 2026-04-05, and a fix is currently unavailable.
The SSRF vulnerability in QingdaoU OnlineJudge allows an attacker to craft malicious requests that appear to originate from the server itself. This can be leveraged to access internal resources that are not directly accessible from the outside world. For example, an attacker could potentially scan internal networks, access sensitive configuration files, or even interact with other internal services. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the vulnerable server. While no immediate exploitation patterns are evident, SSRF vulnerabilities often serve as a stepping stone for further attacks, such as internal reconnaissance and privilege escalation.
This vulnerability was publicly disclosed on 2026-04-05. The vendor, QingdaoU, was contacted but did not respond. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. The probability of exploitation is currently assessed as low, but this could change if a public exploit is released.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a vendor-supplied patch, immediate mitigation strategies are crucial. Implement strict network segmentation to limit the server's access to internal resources. Configure a Web Application Firewall (WAF) to filter outbound requests and block suspicious patterns associated with SSRF attacks. Specifically, WAF rules should be configured to validate and sanitize the serviceurl parameter. Regularly monitor server logs for unusual outbound connections or requests. Consider temporarily disabling the JudgeServer.serviceurl endpoint if it is not essential for core functionality.
It is recommended to update to a patched version of QingdaoU OnlineJudge that addresses the server-side request forgery (SSRF) vulnerability in the judge_server_heartbeat endpoint. Contact the vendor for information on patched versions and upgrade steps. As the vendor has not responded, it is recommended to investigate the source code to mitigate the vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5538 is a server-side request forgery vulnerability affecting QingdaoU OnlineJudge versions 1.6.0–1.6.1. It allows attackers to forge requests from the server, potentially accessing internal resources.
If you are running QingdaoU OnlineJudge version 1.6.0 or 1.6.1, you are potentially affected by this SSRF vulnerability. Immediate mitigation steps are recommended.
Unfortunately, a vendor patch is not currently available. Mitigation focuses on WAF rules, network segmentation, and disabling the vulnerable endpoint until a fix is released.
As of now, there are no confirmed reports of active exploitation. However, the vulnerability is publicly known, and exploitation is possible.
The vendor, QingdaoU, has not released an official advisory for this vulnerability. Monitor their website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.