Low severity3.1NVD Advisory· Published Jun 7, 2026

CVE-2026-11464

Description

A vulnerability was identified in JeecgBoot up to 3.9.2. Affected by this vulnerability is the function queryPageList of the file src\main\java\org\jeecg\modules\system\controller\SysUserController.java of the component User List Endpoint. The manipulation of the argument salt leads to information disclosure. The attack may be initiated remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit is publicly available and might be used. A fix is planned for the upcoming release.

Affected products

Jeecg/Jeecgbootreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <3.9.2

Patches

14c7cf9c5f58

v3.9.2 开放online图表功能

https://github.com/jeecgboot/jeecgbootJEECGApr 28, 2026Fixed in 3.9.2via llm-release-walk

commit

2 files changed · +3 −3

jeecg-boot/jeecg-module-system/jeecg-system-biz/pom.xml+1 −1 modified

@@ -21,7 +21,7 @@
 		</dependency>
 		<dependency>
 			<groupId>org.jeecgframework.boot3</groupId>
-			<artifactId>hibernate-re</artifactId>
+			<artifactId>jeecg-online</artifactId>
 		</dependency>
 
 		<!-- AI大模型管理-->

jeecg-boot/pom.xml+2 −2 modified

@@ -273,8 +273,8 @@
 			</dependency>
 			<dependency>
 				<groupId>org.jeecgframework.boot3</groupId>
-				<artifactId>hibernate-re</artifactId>
-				<version>3.9.1-beta</version>
+				<artifactId>jeecg-online</artifactId>
+				<version>3.9.2-beta</version>
 			</dependency>
 
 			<!--mongon db-->

7df07a823fd5

修复——flyway执行sql脚本失败 #9622

https://github.com/jeecgboot/jeecgbootJEECGMay 11, 2026Fixed in 3.9.2via release-tag

commit

1 file changed · +96 −24

jeecg-boot/db/jeecgboot-mysql-5.7.sql+96 −24 modified

Vulnerability mechanics

Root cause

"The application fails to exclude sensitive fields like password and salt from being used in SQL LIKE queries."

Attack vector

An authenticated attacker can send crafted GET requests to the `/sys/user/list` endpoint. By manipulating the `password` or `salt` parameters with wildcard characters (e.g., `password=d*`), the attacker can perform fuzzy matching against these fields in the database. This allows for the gradual discovery of password hashes and salt values for users, enabling offline cracking of plaintext passwords [ref_id=1]. The attack has high complexity and is difficult to exploit [ref_id=1].

Affected code

The vulnerability resides in the `queryPageList` function within the `SysUserController.java` file. Specifically, the `QueryGenerator.initQueryWrapper()` method automatically generates SQL query conditions by iterating over all fields of the `SysUser` entity, including sensitive fields like `password` and `salt` which are not excluded [ref_id=1].

What the fix does

The patch addresses the vulnerability by ensuring that the `password` and `salt` fields are nullified before being used to construct query conditions. This prevents the `QueryGenerator.initQueryWrapper()` method from automatically including these sensitive fields in SQL LIKE queries, thereby mitigating the information disclosure risk [ref_id=1]. The commit message indicates a version update to 3.9.2, which includes this fix [patch_id=5163057].

Preconditions

authThe attacker must be an authenticated user.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.202
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000