CVE-2026-10239

Vulnerability

A stored Server-Side Request Forgery (SSRF) vulnerability exists in JeecgBoot versions up to 3.9.2 (explicitly confirmed up to 3.9.1 [2]). The flaw resides in the Word template processing feature, specifically in the WordUtil.addImage method invoked when generating a document from a Word template. An attacker can inject a malicious HTTP URL into the database via the PUT/POST /airag/word/edit endpoint by crafting a JSON payload containing an image cell with a value pointing to an internal resource (e.g., http://169.254.169.254/latest/meta-data/). When the template is subsequently downloaded via GET /airag/word/download?id=, the server fetches the image URL without proper host validation, resulting in an SSRF [2].

Exploitation

The attacker must have access to the PUT/POST /airag/word/edit endpoint (likely requiring authentication) and the ability to download templates. The exploitation steps are: (1) submit a JSON payload to /airag/word/edit with a document structure containing an image cell whose value is set to an internal URL; (2) note the id of the modified template; (3) request the template download via /airag/word/download?id=. The server then attempts to fetch the image from the attacker-controlled URL during document generation, triggering an outbound HTTP request from the server to the internal target [2].

Impact

Successful exploitation allows an attacker to perform Server-Side Request Forgery, enabling internal network scanning or access to sensitive cloud metadata (e.g., AWS metadata endpoint at 169.254.169.254). This could lead to disclosure of internal service information, cloud instance credentials, or other sensitive data accessible from the application server. The attacker does not gain direct code execution but can probe internal resources that are otherwise protected.

Mitigation

As of the publication date, no official patch has been released. The vendor plans to include a fix in the upcoming release [1]. In the interim, organizations can mitigate the risk by restricting outbound network access from the application server (e.g., via firewall or egress rules) or by implementing strict URL validation (e.g., allowlisting only known image hosts) in the WordUtil.addImage function. Regularly monitor for updates to the JeecgBoot project [1].