CVE-2026-4955
Shenzhen Ruiming Technology Streamax Crocus OperateStatistic.do sql injection
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.9EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
27 Mar 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
Shenzhen Ruiming Technology · Streamax Crocuspublic PoCs found — 1
cve_referencemy.feishu.cn/docx/C16HdO89zo9OCrxn5B2c8bTqnvb?from=from_copylinkunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.