Submit #785855: HummerRisk 1.5.0 Injectioninfo

TitleHummerRisk 1.5.0 Injection
DescriptionThe application allows administrators to configure media servers through a REST API endpoint. The streamIp parameter, which specifies the IP address of the media server for streaming purposes, is accepted without validation and stored directly in the database. Later, when users download cloud recordings, the application retrieves the stored MediaServer configuration and uses the streamIp value to construct an HTTP URL for downloading video files. This URL is then passed to the OkHttp client which makes the actual HTTP request without any validation, enabling SSRF attacks.
Source⚠️ https://github.com/ccccccctiiiiiiii-lab/public_exp/issues/1
User
 cccccccti (UID 96695)
Submission03/23/2026 03:09 (4 months ago)
Moderation04/13/2026 15:39 (21 days later)
StatusAccepted
VulDB entry357141 [HummerRisk up to 1.5.0 Video File Download URL ServerService.java ServerService.addServer streamIp server-side request forgery]
Points20

Interested in the pricing of exploits?

See the underground prices here!