VYPR
Vypr IntelligenceAI-generatedJun 1, 2026· 3 CVEs

Jeecgboot: Three SSRF Vulnerabilities Disclosed Together

Three medium-severity Server-Side Request Forgery (SSRF) vulnerabilities were disclosed in Jeecgboot, affecting versions up to 3.9.2.

Key findings

  • Three medium-severity SSRF vulnerabilities disclosed in Jeecgboot.
  • Vulnerabilities affect Jeecgboot versions up to 3.9.1 and 3.9.2.
  • CVE-2026-10240 and CVE-2026-10239 have publicly available exploits.
  • The flaws are related to file handling and argument manipulation.
  • Users are urged to update to patched versions promptly.

Jeecgboot, a popular Java rapid development platform, is facing scrutiny following the synchronized disclosure of three medium-severity vulnerabilities on June 1, 2026. All three issues, identified as Server-Side Request Forgery (SSRF) flaws, were reported together, highlighting a specific attack vector within the platform.

The vulnerabilities, collectively assigned CVE-2026-10241, CVE-2026-10240, and CVE-2026-10239, share the same CVSSv3 score of 6.3, categorizing them as medium severity. This commonality suggests a shared underlying weakness or a related set of exploitable functions within the Jeecgboot codebase.

CVE-2026-10241 specifically impacts the FileDownloadUtils.download2DiskFromNet function within the Cloud Instance Metadata Endpoint component, located in the file /airag/app/debug. This flaw allows for SSRF by processing specific URLs up to version 3.9.1.

Similarly, CVE-2026-10240 also involves SSRF, stemming from the manipulation of the baseUrl argument in an unknown function within the file /airag/airagModel/test. This vulnerability affects Jeecgboot versions up to 3.9.2 and is noted as being remotely exploitable with a publicly available exploit.

The third vulnerability, CVE-2026-10239, is found in the WordUtil.addImage function within the file /airag/word/edit. This SSRF vulnerability, also affecting versions up to 3.9.2, can be executed remotely, and its exploit has also been publicly disclosed.

While the disclosures do not explicitly mention active exploitation in the wild or attribute the vulnerabilities to specific threat actors, the public availability of exploits for CVE-2026-10240 and CVE-2026-10239 raises immediate concerns for users. The nature of SSRF vulnerabilities means they can be leveraged to probe internal networks, access sensitive metadata, or interact with internal services that are not meant to be exposed externally.

Patches for these vulnerabilities are planned, with fixes indicated for versions up to 3.9.2. Users of Jeecgboot are strongly advised to update to the latest available version as soon as possible to mitigate the risks associated with these SSRF flaws. The synchronized disclosure of these related vulnerabilities underscores the importance of prompt patching and security review for the Jeecgboot platform.

AI-written article. Grounded in 3 CVE records listed below.