CVE-2026-11467
Description
Path traversal vulnerability in jshERP up to 3.6 allows remote attackers to manipulate files via the addAccountHeadAndDetail endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal vulnerability in jshERP up to 3.6 allows remote attackers to manipulate files via the addAccountHeadAndDetail endpoint.
Vulnerability
A stored path traversal vulnerability exists in jishenghua jshERP versions up to 3.6. The vulnerability is located in the addAccountHeadAndDetail function within the AccountHeadService.java file. Specifically, the fileName argument in the POST /addAccountHeadAndDetail endpoint is not properly sanitized, allowing for path traversal attacks.
Exploitation
An attacker can exploit this vulnerability remotely by sending a POST request to the /addAccountHeadAndDetail endpoint with a crafted JSON payload. The payload should include a fileName field set to a path traversal sequence, such as ../../../../etc/passwd. This malicious entry is saved to the database. Subsequently, triggering the deletion of this record via the batchDeleteAccountHeadByIds functionality causes the application to use the unsanitized path, leading to file operations.
Impact
Successful exploitation allows an attacker to perform arbitrary file operations, including deletion, on the server. By manipulating the fileName argument and triggering the deletion process, an attacker can traverse the file system using sequences like ../ and interact with sensitive files, potentially leading to data corruption or unauthorized modification.
Mitigation
The vulnerability affects jshERP versions up to 3.6. The project was informed of the issue early via an issue report [2], but as of the available references, no patch or fixed version has been released, and no workarounds are disclosed. The project has not yet responded to the vulnerability report [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to sanitize the fileName argument in the addAccountHeadAndDetail endpoint, allowing path traversal."
Attack vector
An attacker can remotely send a POST request to the /addAccountHeadAndDetail endpoint with a JSON payload containing a manipulated fileName field, such as '../../../../etc/passwd'. This payload is then persisted in the database. Subsequently, when the account head record is deleted via batchDeleteAccountHeadByIds, the application uses the unsanitized path to perform file operations, enabling arbitrary file manipulation [ref_id=1].
Affected code
The vulnerability resides in the addAccountHeadAndDetail function within AccountHeadService.java, which accepts the unsanitized fileName. The deletion logic is handled by batchDeleteAccountHeadByIds in the same service, which retrieves the fileName and passes it to deleteFileByPathList in SystemConfigService.java. The deleteFileByPathList method then uses this path in file operations via Paths.get(), Files.copy(), and Files.delete() [ref_id=1].
What the fix does
The patch is not available in the provided bundle. The advisory indicates that the vulnerability exists because the POST /addAccountHeadAndDetail endpoint accepts a fileName field without sanitization, which is then used in file operations like Files.copy() and Files.delete() [ref_id=1]. Remediation would involve sanitizing the fileName input before it is stored and used in file system operations.
Preconditions
- authThe attacker needs to have privileges to call the addAccountHeadAndDetail endpoint.
- networkThe vulnerability is remotely exploitable.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.