SSRF in Qingdaou Onlinejudge
CVE-2026-5538
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by this issue is the function service_url of the file JudgeServer.service_url of the component judge_server_heartbeat Endpoint. The manipulation results in server-s…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.000 (13.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R.
Affected products
- Qingdaou Onlinejudge — versions 1.6.0, 1.6.1
Weakness classification (CWE)
References
- VDB-355291 | QingdaoU OnlineJudge judge_server_heartbeat Endpoint JudgeServer.service_url server-side request forgery (vdb-entry, technical-description)
- VDB-355291 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
- Submit #782203 | QingdaoU OnlineJudge <=v1.6.1 Stored SSRF (third-party-advisory)
- github.com/AnalogyC0de/public_exp/issues/27 (issue-tracking)
Frequently asked questions
- What is CVE-2026-5538?
- CVE-2026-5538 is a medium-severity vulnerability in Qingdaou Onlinejudge, classified under Server-Side Request Forgery (SSRF). CVSS score: 6.3/10. Published 2026-04-05.
- How severe is CVE-2026-5538?
- Medium severity. CVSS v3 base score is 6.3 out of 10.