PatchSiren cyber security CVE debrief
CVE-2026-16222 1Panel-dev CVE debrief
A server-side request forgery vulnerability was found in 1Panel-dev CordysCRM up to 1.4.1. The issue affects the processing of the file backend/crm/src/main/java/cn/cordys/crm/integration/sso/service/TokenService.java. Performing a manipulation of the argument mkAddress results in server-side request forgery. The attack may be initiated remotely. This vulnerability has a CVSS score of 2.1 and is considered Low severity.
- Vendor
- 1Panel-dev
- Product
- CordysCRM
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-19
- Original CVE updated
- 2026-07-19
- Advisory published
- 2026-07-19
- Advisory updated
- 2026-07-19
Who should care
Security teams and administrators responsible for 1Panel-dev CordysCRM installations should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes verifying the version of 1Panel-dev CordysCRM and applying patches or updates if necessary, restricting access to the affected file and argument, and monitoring for suspicious activity and implementing compensating controls.
Technical summary
The vulnerability is caused by a manipulation of the argument mkAddress in the TokenService.java file, leading to server-side request forgery. The attack may be initiated remotely. The vulnerability has a CVSS score of 2.1 and is considered Low severity. Security teams and administrators responsible for 1Panel-dev CordysCRM installations should be aware of this vulnerability and take necessary actions to mitigate the risk.
Defensive priority
Low priority due to CVSS score of 2.1.
Recommended defensive actions
- Verify the version of 1Panel-dev CordysCRM and apply patches or updates if necessary.
- Restrict access to the affected file and argument.
- Monitor for suspicious activity and implement compensating controls.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-19T08:16:42.620Z and has not been modified since then. The NVD entry is currently Received. The vulnerability affects 1Panel-dev CordysCRM up to 1.4.1, and the issue is related to server-side request forgery. The attack may be initiated remotely. Evidence is limited to CVE and NVD details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-19T08:16:42.620Z and has not been modified since then. The NVD entry is currently Received.