PatchSiren

JeecgBoot CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW JeecgBoot CVE published 2026-06-08

CVE-2026-11502

A weakness has been identified in JeecgBoot up to 3.9.2. The impacted function is HttpServletResponse.sendRedirect in the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes an open redirect. The attack can be initiated remotely, but a high degree of complexi [truncated]

LOW JeecgBoot CVE published 2026-06-07

CVE-2026-11464

A vulnerability was identified in JeecgBoot up to 3.9.2. The function queryPageList in SysUserController.java is affected, allowing for information disclosure via manipulation of the 'salt' argument. The attack may be initiated remotely and has high complexity. A fix is planned for an upcoming release.

LOW jeecgboot CVE published 2026-06-01

CVE-2026-10241

A server-side request forgery (SSRF) vulnerability in JeecgBoot, affecting versions up to 3.9.1. The flaw exists in the `FileDownloadUtils.download2DiskFromNet` function via the `/airag/app/debug` endpoint, where improper handling of URLs allows remote attackers to manipulate requests to cloud instance metadata endpoints. The vulnerability was publicly disclosed on 2026-06-01 with a CVSS 4.0 score of 2.1 [truncated]

LOW JeecgBoot CVE published 2026-05-26

CVE-2026-9604

A low-severity improper access control vulnerability affects JeecgBoot versions up to 3.9.1. The vulnerability resides in the AiragModelController component, where manipulation of the list/queryById argument can lead to unauthorized access. The issue is remotely exploitable and public exploit availability has been confirmed. The vendor has released version 3.9.2 to address this vulnerability.

LOW jeecgboot CVE published 2026-05-26

CVE-2026-9581

A low-severity improper access control vulnerability in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the /sys/comment/add endpoint. The vulnerability was disclosed on 2026-05-26 with a CVSS 4.0 score of 2.1 (LOW severity). An upgrade to version 3.9.2 resolves the issue. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Imprope [truncated]

LOW JeecgBoot CVE published 2026-05-26

CVE-2026-9579

A low-severity improper access control vulnerability in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the userIdentity parameter in the /sys/user/login/setting/userEdit endpoint's user.getUsername function. The vulnerability, published 2026-05-26, has a CVSS 4.0 score of 2.1 (LOW severity) and has been publicly disclosed with available exploit details. The vendor has r [truncated]

MEDIUM JeecgBoot CVE published 2026-05-24

CVE-2026-9373

A vulnerability in JeecgBoot 3.9.1 affects the OpenAPI Endpoint at /openapi/call/, where improper authentication controls allow remote attackers to bypass authentication. The attack requires high complexity and is assessed as difficult to exploit. The vendor was contacted prior to disclosure but did not respond. The vulnerability was published on 2026-05-24 and last modified on 2026-05-26.

LOW JeecgBoot CVE published 2026-05-09

CVE-2026-8195

CVE-2026-8195 is a cross-site scripting issue reported in JeecgBoot up to 3.9.1, centered on SVG file handling in CommonController.java. The CVE description says the attack can be executed remotely, that exploit material is public, and that the vendor was contacted early but did not respond. While the CVSS score is low, publicly available exploitation details increase the need to verify exposure and harde [truncated]