Search
Find a vulnerability
Search criteria
12 vulnerabilities by erzhongxmu
CVE-2026-11458 (GCVE-0-2026-11458)
Vulnerability from nvd – Published: 2026-06-07 08:00 – Updated: 2026-06-08 16:33
VLAI
Title
erzhongxmu JeeWMS Boot Actuator Endpoint actuator information disclosure
Summary
A weakness has been identified in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This issue affects some unknown processing of the file /base-boot/actuator of the component Boot Actuator Endpoint. Executing a manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369077 | vdb-entry |
| https://vuldb.com/vuln/369077/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11458 | third-party-advisory |
| https://vuldb.com/submit/828538 | third-party-advisory |
| https://github.com/0d000721999/evc1/issues/2 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JeeWMS |
Affected:
141740afb2ba14d441c82a833d0a418d07ca2d69
cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11458",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T14:15:31.630834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:33:24.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"Boot Actuator Endpoint"
],
"product": "JeeWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "141740afb2ba14d441c82a833d0a418d07ca2d69"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0d00 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This issue affects some unknown processing of the file /base-boot/actuator of the component Boot Actuator Endpoint. Executing a manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-07T08:00:10.756Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369077 | erzhongxmu JeeWMS Boot Actuator Endpoint actuator information disclosure",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/369077"
},
{
"name": "VDB-369077 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369077/cti"
},
{
"name": "CVE-2026-11458 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11458"
},
{
"name": "Submit #828538 | \u5e7f\u5dde\u534e\u58f9\u667a\u80fd\u79d1\u6280\u6709\u9650\u516c\u53f8 JEEWMS latest Unauthorized Sensitive Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/828538"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/0d000721999/evc1/issues/2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T18:07:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JeeWMS Boot Actuator Endpoint actuator information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11458",
"datePublished": "2026-06-07T08:00:10.756Z",
"dateReserved": "2026-06-06T16:02:06.216Z",
"dateUpdated": "2026-06-08T16:33:24.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11457 (GCVE-0-2026-11457)
Vulnerability from nvd – Published: 2026-06-07 07:45 – Updated: 2026-06-09 14:37
VLAI
Title
erzhongxmu JeeWMS JimuReport test-connection Endpoint testConnection injection
Summary
A security flaw has been discovered in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code of the file /base-boot/jmreport/testConnection of the component JimuReport test-connection Endpoint. Performing a manipulation of the argument dbType/dbDriver/dbUrl/dbUsername/dbPassword results in injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369076 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369076/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11457 | third-party-advisory |
| https://vuldb.com/submit/828509 | third-party-advisory |
| https://github.com/0d000721999/evc1/issues/1 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JeeWMS |
Affected:
141740afb2ba14d441c82a833d0a418d07ca2d69
cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11457",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:36:45.875634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:37:29.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"JimuReport test-connection Endpoint"
],
"product": "JeeWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "141740afb2ba14d441c82a833d0a418d07ca2d69"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0d00 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code of the file /base-boot/jmreport/testConnection of the component JimuReport test-connection Endpoint. Performing a manipulation of the argument dbType/dbDriver/dbUrl/dbUsername/dbPassword results in injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "Improper Neutralization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-07T07:45:07.255Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369076 | erzhongxmu JeeWMS JimuReport test-connection Endpoint testConnection injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369076"
},
{
"name": "VDB-369076 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369076/cti"
},
{
"name": "CVE-2026-11457 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11457"
},
{
"name": "Submit #828509 | \u5e7f\u5dde\u534e\u58f9\u667a\u80fd\u79d1\u6280\u6709\u9650\u516c\u53f8 JeeWMS latest RCE",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/828509"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/0d000721999/evc1/issues/1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T18:07:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JeeWMS JimuReport test-connection Endpoint testConnection injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11457",
"datePublished": "2026-06-07T07:45:07.255Z",
"dateReserved": "2026-06-06T16:02:03.321Z",
"dateUpdated": "2026-06-09T14:37:29.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3028 (GCVE-0-2026-3028)
Vulnerability from nvd – Published: 2026-02-23 21:32 – Updated: 2026-02-25 15:28
VLAI
Title
erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting
Summary
A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347384 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.347384 | signaturepermissions-required |
| https://vuldb.com/?submit.756527 | third-party-advisory |
| https://www.notion.so/JEEWMS-Stored-Cross-Site-Sc… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3028",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:27:33.709385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:28:13.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T21:32:08.463Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347384 | erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347384"
},
{
"name": "VDB-347384 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347384"
},
{
"name": "Submit #756527 | erzhongxmu JEEWMS \u22643.7 Reflected XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756527"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-Stored-Cross-Site-Scripting-XSS-in-SysModule-304ea92a3c418099bed7f1e0bca12d83"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:10:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3028",
"datePublished": "2026-02-23T21:32:08.463Z",
"dateReserved": "2026-02-23T14:05:23.655Z",
"dateUpdated": "2026-02-25T15:28:13.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3027 (GCVE-0-2026-3027)
Vulnerability from nvd – Published: 2026-02-23 21:02 – Updated: 2026-02-25 15:19
VLAI
Title
erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting
Summary
A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347383 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.347383 | signaturepermissions-required |
| https://vuldb.com/?submit.756523 | third-party-advisory |
| https://www.notion.so/JEEWMS-Reflected-XSS-Vulner… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3027",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:18:36.654456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:19:05.163Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"UEditor"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T21:02:08.183Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347383 | erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347383"
},
{
"name": "VDB-347383 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347383"
},
{
"name": "Submit #756523 | erzhongxmu JEEWMS \u003c= 3.7 Reflected XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756523"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-Reflected-XSS-Vulnerability-in-UEditor-Module-304ea92a3c41806a97ffc9b707f2fbf0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:10:30.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3027",
"datePublished": "2026-02-23T21:02:08.183Z",
"dateReserved": "2026-02-23T14:05:20.948Z",
"dateUpdated": "2026-02-25T15:19:05.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3026 (GCVE-0-2026-3026)
Vulnerability from nvd – Published: 2026-02-23 20:02 – Updated: 2026-02-25 15:04
VLAI
Title
erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery
Summary
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347382 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.347382 | signaturepermissions-required |
| https://vuldb.com/?submit.756522 | third-party-advisory |
| https://www.notion.so/JEEWMS-SSRF-Vulnerability-i… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.7
cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3026",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:04:36.615175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:04:59.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"UEditor"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T20:02:09.909Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347382 | erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347382"
},
{
"name": "VDB-347382 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347382"
},
{
"name": "Submit #756522 | erzhongxmu JEEWMS \u22643.7 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756522"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-SSRF-Vulnerability-in-UEditor-Module-304ea92a3c41806782b1f7285ab0d580"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:11:02.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3026",
"datePublished": "2026-02-23T20:02:09.909Z",
"dateReserved": "2026-02-23T14:05:13.898Z",
"dateUpdated": "2026-02-25T15:04:59.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11251 (GCVE-0-2024-11251)
Vulnerability from nvd – Published: 2024-11-15 18:00 – Updated: 2024-11-19 16:11
VLAI
Title
erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection
Summary
A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.284687 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.284687 | signaturepermissions-required |
| https://gitee.com/erzhongxmu/JEEWMS/issues/IB2XZG | exploitissue-tracking |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | Jeewms |
Affected:
20241108
|
|
| erzhongxmu | jeewms |
Affected:
0 , ≤ 20241108
(custom)
cpe:2.3:a:erzhongxmu:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:erzhongxmu:jeewms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jeewms",
"vendor": "erzhongxmu",
"versions": [
{
"lessThanOrEqual": "20241108",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11251",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T16:10:24.708428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T16:11:57.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"AuthInterceptor"
],
"product": "Jeewms",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "20241108"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB Gitee Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in erzhongxmu Jeewms bis 20241108 ausgemacht. Sie wurde als kritisch eingestuft. Dies betrifft einen unbekannten Teil der Datei cgReportController.do der Komponente AuthInterceptor. Durch das Manipulieren des Arguments begin_date mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Dieses Produkt setzt Rolling Releases ein. Aus diesem Grund sind Details zu betroffenen oder zu aktualisierende Versionen nicht verf\u00fcgbar."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:00:12.868Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-284687 | erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.284687"
},
{
"name": "VDB-284687 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.284687"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://gitee.com/erzhongxmu/JEEWMS/issues/IB2XZG"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-15T10:04:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11251",
"datePublished": "2024-11-15T18:00:12.868Z",
"dateReserved": "2024-11-15T08:57:19.277Z",
"dateUpdated": "2024-11-19T16:11:57.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-11458 (GCVE-0-2026-11458)
Vulnerability from cvelistv5 – Published: 2026-06-07 08:00 – Updated: 2026-06-08 16:33
VLAI
Title
erzhongxmu JeeWMS Boot Actuator Endpoint actuator information disclosure
Summary
A weakness has been identified in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This issue affects some unknown processing of the file /base-boot/actuator of the component Boot Actuator Endpoint. Executing a manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369077 | vdb-entry |
| https://vuldb.com/vuln/369077/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11458 | third-party-advisory |
| https://vuldb.com/submit/828538 | third-party-advisory |
| https://github.com/0d000721999/evc1/issues/2 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JeeWMS |
Affected:
141740afb2ba14d441c82a833d0a418d07ca2d69
cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11458",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T14:15:31.630834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:33:24.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"Boot Actuator Endpoint"
],
"product": "JeeWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "141740afb2ba14d441c82a833d0a418d07ca2d69"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0d00 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This issue affects some unknown processing of the file /base-boot/actuator of the component Boot Actuator Endpoint. Executing a manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-07T08:00:10.756Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369077 | erzhongxmu JeeWMS Boot Actuator Endpoint actuator information disclosure",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/369077"
},
{
"name": "VDB-369077 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369077/cti"
},
{
"name": "CVE-2026-11458 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11458"
},
{
"name": "Submit #828538 | \u5e7f\u5dde\u534e\u58f9\u667a\u80fd\u79d1\u6280\u6709\u9650\u516c\u53f8 JEEWMS latest Unauthorized Sensitive Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/828538"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/0d000721999/evc1/issues/2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T18:07:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JeeWMS Boot Actuator Endpoint actuator information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11458",
"datePublished": "2026-06-07T08:00:10.756Z",
"dateReserved": "2026-06-06T16:02:06.216Z",
"dateUpdated": "2026-06-08T16:33:24.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11457 (GCVE-0-2026-11457)
Vulnerability from cvelistv5 – Published: 2026-06-07 07:45 – Updated: 2026-06-09 14:37
VLAI
Title
erzhongxmu JeeWMS JimuReport test-connection Endpoint testConnection injection
Summary
A security flaw has been discovered in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code of the file /base-boot/jmreport/testConnection of the component JimuReport test-connection Endpoint. Performing a manipulation of the argument dbType/dbDriver/dbUrl/dbUsername/dbPassword results in injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369076 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369076/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11457 | third-party-advisory |
| https://vuldb.com/submit/828509 | third-party-advisory |
| https://github.com/0d000721999/evc1/issues/1 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JeeWMS |
Affected:
141740afb2ba14d441c82a833d0a418d07ca2d69
cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11457",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:36:45.875634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:37:29.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"JimuReport test-connection Endpoint"
],
"product": "JeeWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "141740afb2ba14d441c82a833d0a418d07ca2d69"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0d00 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code of the file /base-boot/jmreport/testConnection of the component JimuReport test-connection Endpoint. Performing a manipulation of the argument dbType/dbDriver/dbUrl/dbUsername/dbPassword results in injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "Improper Neutralization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-07T07:45:07.255Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369076 | erzhongxmu JeeWMS JimuReport test-connection Endpoint testConnection injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369076"
},
{
"name": "VDB-369076 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369076/cti"
},
{
"name": "CVE-2026-11457 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11457"
},
{
"name": "Submit #828509 | \u5e7f\u5dde\u534e\u58f9\u667a\u80fd\u79d1\u6280\u6709\u9650\u516c\u53f8 JeeWMS latest RCE",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/828509"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/0d000721999/evc1/issues/1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T18:07:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JeeWMS JimuReport test-connection Endpoint testConnection injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11457",
"datePublished": "2026-06-07T07:45:07.255Z",
"dateReserved": "2026-06-06T16:02:03.321Z",
"dateUpdated": "2026-06-09T14:37:29.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3028 (GCVE-0-2026-3028)
Vulnerability from cvelistv5 – Published: 2026-02-23 21:32 – Updated: 2026-02-25 15:28
VLAI
Title
erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting
Summary
A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347384 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.347384 | signaturepermissions-required |
| https://vuldb.com/?submit.756527 | third-party-advisory |
| https://www.notion.so/JEEWMS-Stored-Cross-Site-Sc… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3028",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:27:33.709385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:28:13.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T21:32:08.463Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347384 | erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347384"
},
{
"name": "VDB-347384 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347384"
},
{
"name": "Submit #756527 | erzhongxmu JEEWMS \u22643.7 Reflected XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756527"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-Stored-Cross-Site-Scripting-XSS-in-SysModule-304ea92a3c418099bed7f1e0bca12d83"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:10:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3028",
"datePublished": "2026-02-23T21:32:08.463Z",
"dateReserved": "2026-02-23T14:05:23.655Z",
"dateUpdated": "2026-02-25T15:28:13.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3027 (GCVE-0-2026-3027)
Vulnerability from cvelistv5 – Published: 2026-02-23 21:02 – Updated: 2026-02-25 15:19
VLAI
Title
erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting
Summary
A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347383 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.347383 | signaturepermissions-required |
| https://vuldb.com/?submit.756523 | third-party-advisory |
| https://www.notion.so/JEEWMS-Reflected-XSS-Vulner… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3027",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:18:36.654456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:19:05.163Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"UEditor"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T21:02:08.183Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347383 | erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347383"
},
{
"name": "VDB-347383 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347383"
},
{
"name": "Submit #756523 | erzhongxmu JEEWMS \u003c= 3.7 Reflected XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756523"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-Reflected-XSS-Vulnerability-in-UEditor-Module-304ea92a3c41806a97ffc9b707f2fbf0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:10:30.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3027",
"datePublished": "2026-02-23T21:02:08.183Z",
"dateReserved": "2026-02-23T14:05:20.948Z",
"dateUpdated": "2026-02-25T15:19:05.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3026 (GCVE-0-2026-3026)
Vulnerability from cvelistv5 – Published: 2026-02-23 20:02 – Updated: 2026-02-25 15:04
VLAI
Title
erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery
Summary
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347382 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.347382 | signaturepermissions-required |
| https://vuldb.com/?submit.756522 | third-party-advisory |
| https://www.notion.so/JEEWMS-SSRF-Vulnerability-i… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | JEEWMS |
Affected:
3.7
cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3026",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:04:36.615175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:04:59.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*"
],
"modules": [
"UEditor"
],
"product": "JEEWMS",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T20:02:09.909Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347382 | erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347382"
},
{
"name": "VDB-347382 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347382"
},
{
"name": "Submit #756522 | erzhongxmu JEEWMS \u22643.7 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.756522"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/JEEWMS-SSRF-Vulnerability-in-UEditor-Module-304ea92a3c41806782b1f7285ab0d580"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-23T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-23T15:11:02.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3026",
"datePublished": "2026-02-23T20:02:09.909Z",
"dateReserved": "2026-02-23T14:05:13.898Z",
"dateUpdated": "2026-02-25T15:04:59.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11251 (GCVE-0-2024-11251)
Vulnerability from cvelistv5 – Published: 2024-11-15 18:00 – Updated: 2024-11-19 16:11
VLAI
Title
erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection
Summary
A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.284687 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.284687 | signaturepermissions-required |
| https://gitee.com/erzhongxmu/JEEWMS/issues/IB2XZG | exploitissue-tracking |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| erzhongxmu | Jeewms |
Affected:
20241108
|
|
| erzhongxmu | jeewms |
Affected:
0 , ≤ 20241108
(custom)
cpe:2.3:a:erzhongxmu:jeewms:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:erzhongxmu:jeewms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jeewms",
"vendor": "erzhongxmu",
"versions": [
{
"lessThanOrEqual": "20241108",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11251",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T16:10:24.708428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T16:11:57.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"AuthInterceptor"
],
"product": "Jeewms",
"vendor": "erzhongxmu",
"versions": [
{
"status": "affected",
"version": "20241108"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB Gitee Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in erzhongxmu Jeewms bis 20241108 ausgemacht. Sie wurde als kritisch eingestuft. Dies betrifft einen unbekannten Teil der Datei cgReportController.do der Komponente AuthInterceptor. Durch das Manipulieren des Arguments begin_date mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Dieses Produkt setzt Rolling Releases ein. Aus diesem Grund sind Details zu betroffenen oder zu aktualisierende Versionen nicht verf\u00fcgbar."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:00:12.868Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-284687 | erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.284687"
},
{
"name": "VDB-284687 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.284687"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://gitee.com/erzhongxmu/JEEWMS/issues/IB2XZG"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-15T10:04:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "erzhongxmu Jeewms AuthInterceptor cgReportController.do sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11251",
"datePublished": "2024-11-15T18:00:12.868Z",
"dateReserved": "2024-11-15T08:57:19.277Z",
"dateUpdated": "2024-11-19T16:11:57.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}