These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A weakness has been identified in JeecgBoot up to 3.9.2. The impacted function is HttpServletResponse.sendRedirect in the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes an open redirect. The attack can be initiated remotely, but a high degree of complexi [truncated]
A vulnerability was identified in JeecgBoot up to 3.9.2. The function queryPageList in SysUserController.java is affected, allowing for information disclosure via manipulation of the 'salt' argument. The attack may be initiated remotely and has high complexity. A fix is planned for an upcoming release.
A server-side request forgery (SSRF) vulnerability in JeecgBoot, affecting versions up to 3.9.1. The flaw exists in the `FileDownloadUtils.download2DiskFromNet` function via the `/airag/app/debug` endpoint, where improper handling of URLs allows remote attackers to manipulate requests to cloud instance metadata endpoints. The vulnerability was publicly disclosed on 2026-06-01 with a CVSS 4.0 score of 2.1 [truncated]
A low-severity improper access control vulnerability affects JeecgBoot versions up to 3.9.1. The vulnerability resides in the AiragModelController component, where manipulation of the list/queryById argument can lead to unauthorized access. The issue is remotely exploitable and public exploit availability has been confirmed. The vendor has released version 3.9.2 to address this vulnerability.
A low-severity improper access control vulnerability in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the /sys/comment/add endpoint. The vulnerability was disclosed on 2026-05-26 with a CVSS 4.0 score of 2.1 (LOW severity). An upgrade to version 3.9.2 resolves the issue. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Imprope [truncated]
A low-severity improper access control vulnerability in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the userIdentity parameter in the /sys/user/login/setting/userEdit endpoint's user.getUsername function. The vulnerability, published 2026-05-26, has a CVSS 4.0 score of 2.1 (LOW severity) and has been publicly disclosed with available exploit details. The vendor has r [truncated]
A vulnerability in JeecgBoot 3.9.1 affects the OpenAPI Endpoint at /openapi/call/, where improper authentication controls allow remote attackers to bypass authentication. The attack requires high complexity and is assessed as difficult to exploit. The vendor was contacted prior to disclosure but did not respond. The vulnerability was published on 2026-05-24 and last modified on 2026-05-26.
CVE-2026-8195 is a cross-site scripting issue reported in JeecgBoot up to 3.9.1, centered on SVG file handling in CommonController.java. The CVE description says the attack can be executed remotely, that exploit material is public, and that the vendor was contacted early but did not respond. While the CVSS score is low, publicly available exploitation details increase the need to verify exposure and harde [truncated]