CVE-2026-16222 | 1Panel-dev CordysCRM up to 1.4.1 Third Party Endpoint TokenService.java mkAddress server-side request forgery (2685/2686)
A vulnerability classified as critical has been found in 1Panel-dev CordysCRM up to 1.4.1. This issue affects some unknown processing of the file backend/crm/src/main/java/cn/cordys/crm/integration/sso/service/TokenService.java of the component Third Party Endpoint. Performing a manipulation of the argument mkAddress results in server-side request forgery.
This vulnerability was named CVE-2026-16222. The attack may be initiated remotely. In addition, an exploit is available.
The project closed the issue report, stating that this is not the official way to report a security vulnerability.VulDB Recent EntriesRead More