CVE-2026-9376 JPress Projects CVE debrief

Who should care

Organizations running JPress 1.0.3 or earlier with UCenter functionality enabled; security teams monitoring for authorization bypass vulnerabilities in Java-based content management systems; developers maintaining JPress deployments

Technical summary

The vulnerability resides in an unknown function within `/ucenter/article/doWriteSave` of JPress's UCenter Article Submission Endpoint. By manipulating the `id` or `userId` arguments, an authenticated attacker with low privileges can bypass intended authorization controls. The attack vector is network-based with low complexity. The vulnerability status is currently Deferred in NVD, indicating pending analysis or vendor coordination. No patch is available as of the modified date.

Defensive priority

low

Recommended defensive actions

• Review and restrict access to the `/ucenter/article/doWriteSave` endpoint in JPress deployments
• Validate and enforce authorization checks on `id` and `userId` parameters at the application layer
• Monitor for unauthorized article submission attempts in application logs
• Consider implementing additional access controls or Web Application Firewall rules for the affected endpoint
• Track the referenced GitHub issue for vendor patch availability before upgrading

Evidence notes

Vulnerability identified through Vuldb submission and publicly disclosed via GitHub issue. CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization) assigned. CVSS 4.0 score of 2.1 reflects limited impact scope. Exploit existence confirmed in public disclosure. Vendor notification status: unresponsive as of CVE publication.

Official resources