Search criteria
8 vulnerabilities found for JEEWMS by erzhongxmu
CVE-2026-3028 (GCVE-0-2026-3028)
Vulnerability from nvd – Published: 2026-02-23 21:32 – Updated: 2026-02-23 21:32
VLAI?
Title
erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting
Summary
A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
din4 (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T21:32:08.463Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347384 | erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347384"
},
{
"name": "VDB-347384 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347384"
},
{
"name": "Submit #756527 | erzhongxmu JEEWMS \u22643.7 Reflected XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756527"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-Stored-Cross-Site-Scripting-XSS-in-SysModule-304ea92a3c418099bed7f1e0bca12d83"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:10:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3028",
"datePublished": "2026-02-23T21:32:08.463Z",
"dateReserved": "2026-02-23T14:05:23.655Z",
"dateUpdated": "2026-02-23T21:32:08.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3027 (GCVE-0-2026-3027)
Vulnerability from nvd – Published: 2026-02-23 21:02 – Updated: 2026-02-23 21:02
VLAI?
Title
erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting
Summary
A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
din4 (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"UEditor"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T21:02:08.183Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347383 | erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347383"
},
{
"name": "VDB-347383 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347383"
},
{
"name": "Submit #756523 | erzhongxmu JEEWMS \u003c= 3.7 Reflected XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756523"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-Reflected-XSS-Vulnerability-in-UEditor-Module-304ea92a3c41806a97ffc9b707f2fbf0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:10:30.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3027",
"datePublished": "2026-02-23T21:02:08.183Z",
"dateReserved": "2026-02-23T14:05:20.948Z",
"dateUpdated": "2026-02-23T21:02:08.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3026 (GCVE-0-2026-3026)
Vulnerability from nvd – Published: 2026-02-23 20:02 – Updated: 2026-02-23 20:02
VLAI?
Title
erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery
Summary
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.7
cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
din4 (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"UEditor"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T20:02:09.909Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347382 | erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347382"
},
{
"name": "VDB-347382 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347382"
},
{
"name": "Submit #756522 | erzhongxmu JEEWMS \u22643.7 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756522"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-SSRF-Vulnerability-in-UEditor-Module-304ea92a3c41806782b1f7285ab0d580"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:11:02.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3026",
"datePublished": "2026-02-23T20:02:09.909Z",
"dateReserved": "2026-02-23T14:05:13.898Z",
"dateUpdated": "2026-02-23T20:02:09.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11251 (GCVE-0-2024-11251)
Vulnerability from nvd – Published: 2024-11-15 18:00 – Updated: 2024-11-19 16:11
VLAI?
Title
erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection
Summary
A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well.
Severity ?
6.3 (Medium)
6.3 (Medium)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erzhongxmu | Jeewms |
Affected:
20241108
|
Credits
VulDB Gitee Analyzer
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:erzhongxmu:jeewms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jeewms",
"vendor": "erzhongxmu",
"versions": [
{
"lessThanOrEqual": "20241108",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11251",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T16:10:24.708428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T16:11:57.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"AuthInterceptor"
],
"product": "Jeewms",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "20241108"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB Gitee Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in erzhongxmu Jeewms bis 20241108 ausgemacht. Sie wurde als kritisch eingestuft. Dies betrifft einen unbekannten Teil der Datei cgReportController.do der Komponente AuthInterceptor. Durch das Manipulieren des Arguments begin_date mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Dieses Produkt setzt Rolling Releases ein. Aus diesem Grund sind Details zu betroffenen oder zu aktualisierende Versionen nicht verf\u00fcgbar."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:00:12.868Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-284687 | erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.284687"
},
{
"name": "VDB-284687 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.284687"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://gitee.com/erzhongxmu/JEEWMS/issues/IB2XZG"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-15T10:04:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11251",
"datePublished": "2024-11-15T18:00:12.868Z",
"dateReserved": "2024-11-15T08:57:19.277Z",
"dateUpdated": "2024-11-19T16:11:57.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-3028 (GCVE-0-2026-3028)
Vulnerability from cvelistv5 – Published: 2026-02-23 21:32 – Updated: 2026-02-23 21:32
VLAI?
Title
erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting
Summary
A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
din4 (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T21:32:08.463Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347384 | erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347384"
},
{
"name": "VDB-347384 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347384"
},
{
"name": "Submit #756527 | erzhongxmu JEEWMS \u22643.7 Reflected XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756527"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-Stored-Cross-Site-Scripting-XSS-in-SysModule-304ea92a3c418099bed7f1e0bca12d83"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:10:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3028",
"datePublished": "2026-02-23T21:32:08.463Z",
"dateReserved": "2026-02-23T14:05:23.655Z",
"dateUpdated": "2026-02-23T21:32:08.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3027 (GCVE-0-2026-3027)
Vulnerability from cvelistv5 – Published: 2026-02-23 21:02 – Updated: 2026-02-23 21:02
VLAI?
Title
erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting
Summary
A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
din4 (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"UEditor"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T21:02:08.183Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347383 | erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347383"
},
{
"name": "VDB-347383 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347383"
},
{
"name": "Submit #756523 | erzhongxmu JEEWMS \u003c= 3.7 Reflected XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756523"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-Reflected-XSS-Vulnerability-in-UEditor-Module-304ea92a3c41806a97ffc9b707f2fbf0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:10:30.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3027",
"datePublished": "2026-02-23T21:02:08.183Z",
"dateReserved": "2026-02-23T14:05:20.948Z",
"dateUpdated": "2026-02-23T21:02:08.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3026 (GCVE-0-2026-3026)
Vulnerability from cvelistv5 – Published: 2026-02-23 20:02 – Updated: 2026-02-23 20:02
VLAI?
Title
erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery
Summary
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.7
cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
din4 (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"UEditor"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T20:02:09.909Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347382 | erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347382"
},
{
"name": "VDB-347382 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347382"
},
{
"name": "Submit #756522 | erzhongxmu JEEWMS \u22643.7 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756522"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-SSRF-Vulnerability-in-UEditor-Module-304ea92a3c41806782b1f7285ab0d580"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:11:02.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3026",
"datePublished": "2026-02-23T20:02:09.909Z",
"dateReserved": "2026-02-23T14:05:13.898Z",
"dateUpdated": "2026-02-23T20:02:09.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11251 (GCVE-0-2024-11251)
Vulnerability from cvelistv5 – Published: 2024-11-15 18:00 – Updated: 2024-11-19 16:11
VLAI?
Title
erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection
Summary
A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well.
Severity ?
6.3 (Medium)
6.3 (Medium)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erzhongxmu | Jeewms |
Affected:
20241108
|
Credits
VulDB Gitee Analyzer
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:erzhongxmu:jeewms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jeewms",
"vendor": "erzhongxmu",
"versions": [
{
"lessThanOrEqual": "20241108",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11251",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T16:10:24.708428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T16:11:57.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"AuthInterceptor"
],
"product": "Jeewms",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "20241108"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB Gitee Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in erzhongxmu Jeewms bis 20241108 ausgemacht. Sie wurde als kritisch eingestuft. Dies betrifft einen unbekannten Teil der Datei cgReportController.do der Komponente AuthInterceptor. Durch das Manipulieren des Arguments begin_date mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Dieses Produkt setzt Rolling Releases ein. Aus diesem Grund sind Details zu betroffenen oder zu aktualisierende Versionen nicht verf\u00fcgbar."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:00:12.868Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-284687 | erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.284687"
},
{
"name": "VDB-284687 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.284687"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://gitee.com/erzhongxmu/JEEWMS/issues/IB2XZG"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-15T10:04:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11251",
"datePublished": "2024-11-15T18:00:12.868Z",
"dateReserved": "2024-11-15T08:57:19.277Z",
"dateUpdated": "2024-11-19T16:11:57.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}