PatchSiren cyber security CVE debrief
CVE-2026-11467 jishenghua CVE debrief
A path traversal vulnerability has been detected in jishenghua jshERP up to 3.6. The vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. This vulnerability allows remote attackers to manipulate the argument fileName, leading to path traversal. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
- Vendor
- jishenghua
- Product
- jshERP
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of jishenghua jshERP up to version 3.6 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability has a CVSS score of 2.1 and is classified as LOW severity. It can be exploited remotely, and the attack vector is AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
LOW
Recommended defensive actions
- Update jishenghua jshERP to a version that fixes this vulnerability.
- Restrict access to the addAccountHeadAndDetail endpoint.
- Monitor the system for suspicious activity.
Evidence notes
The vulnerability was reported through an issue report, but the project has not responded yet. The exploit has been disclosed publicly.
Official resources
CVE-2026-11467 was published on 2026-06-08T00:16:42.230Z and modified on 2026-06-08T14:57:14.757Z.