VYPR
Get started
← All advisories
Low severity3.7NVD Advisory· Published Apr 28, 2026· Updated Apr 29, 2026

CVE-2026-7303

CVE-2026-7303

Description

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.xuxueli:xxl-job-adminMaven
< 3.4.03.4.0

Affected products

1

Patches

1
d24e4ccd6073

【优化】调度日志优化:支持执行器维度查看调度日志;新增调度日志索引,提升查询效率;

https://github.com/xuxueli/xxl-jobxuxueliMar 29, 2026via ghsa
commit
4 files changed · +21 32
  • doc/XXL-JOB官方文档.md+3 1 modified
    @@ -2794,7 +2794,9 @@ public void execute() {
 - 3、【调整】Docker基础镜像调整为eclipse-temurin;
 - 4、【优化】父POM依赖配置优化,移除容易配置;合并PR-3926;
 - 5、【升级】升级多项maven依赖至较新版本;
-- 6、【TODO】调度中心OpenAPI完善,提供任务管理能力;封装Agent Skill并推送ClawHub;
+- 6、【优化】调度日志优化:支持执行器维度查看调度日志;新增调度日志索引,提升查询效率;
+(数据库新增索引脚本:``` create index I_jobgroup on xxl_job_log (job_group); ``` )
+- 7、【TODO】调度中心OpenAPI完善,提供任务管理能力;封装Agent Skill并推送ClawHub;
 
 
 ### TODO LIST
  • xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java+15 27 modified
    @@ -62,6 +62,7 @@ public String index(HttpServletRequest request,
 						@RequestParam(value = "jobGroup", required = false, defaultValue = "0") Integer jobGroup,
 						@RequestParam(value = "jobId", required = false, defaultValue = "0") Integer jobId) {
 
+		// 1、init JobGroupList
 		// find all jobGroup
 		List<XxlJobGroup> jobGroupListTotal =  xxlJobGroupMapper.findAll();
 
@@ -70,44 +71,31 @@ public String index(HttpServletRequest request,
 		if (CollectionTool.isEmpty(jobGroupList)) {
 			throw new XxlJobException(I18nUtil.getString("jobgroup_empty"));
 		}
+		List<Integer> jobGroupIds = jobGroupList.stream().map(XxlJobGroup::getId).toList();
 
-		// parse jobGroup
+		// 2、check jobId
 		if (jobId > 0) {
-			// assign jobId (+ jobGroup)
+			// valid jobId
 			XxlJobInfo jobInfo = xxlJobInfoMapper.loadById(jobId);
 			if (jobInfo == null) {
-				// jobId not exist, inteceptor
 				throw new RuntimeException(I18nUtil.getString("jobinfo_field_id") + I18nUtil.getString("system_unvalid"));
 			}
+			// valid jobGroup
 			jobGroup = jobInfo.getJobGroup();
-		} else if (jobGroup > 0) {
-			// assign jobGroup
-			Integer finalJobGroup = jobGroup;
-			if (CollectionTool.isEmpty(jobGroupListTotal.stream().filter(item -> item.getId() == finalJobGroup).toList())) {
-				// jobGroup not exist, use first
-				jobGroup = jobGroupList.get(0).getId();
-			}
-			jobId = 0;
-		} else {
-			// default first valid jobGroup
-			jobGroup = jobGroupList.get(0).getId();
-			jobId = 0;
 		}
 
-		/*// valid permission
-		JobGroupPermissionUtil.validJobGroupPermission(request, jobGroup);*/
+		// 3、init jobGroup, default first 1
+		if (!jobGroupIds.contains(jobGroup)) {
+			jobGroup = jobGroupList.get(0).getId();
+		}
 
-		// find jobList
+		// 4、init jobInfoList
 		List<XxlJobInfo> jobInfoList = xxlJobInfoMapper.getJobsByGroup(jobGroup);
+		List<Integer> jobIds = jobInfoList.stream().map(XxlJobInfo::getId).toList();
 
-		// parse jobId
-		if (CollectionTool.isEmpty(jobInfoList)) {
+		// 5、init JobId, default 0
+		if (!jobIds.contains(jobId)) {
 			jobId = 0;
-		} else {
-			if (!jobInfoList.stream().map(XxlJobInfo::getId).toList().contains(jobId)) {
-				// jobId not exist, use first
-				jobId = jobInfoList.get(0).getId();
-			}
 		}
 
 		// write
@@ -133,9 +121,9 @@ public Response<PageModel<XxlJobLog>> pageList(HttpServletRequest request,
 		JobGroupPermissionUtil.validJobGroupPermission(request, jobGroup);
 
 		// valid jobId
-		if (jobId < 1) {
+		/*if (jobId < 1) {
 			return Response.ofFail(I18nUtil.getString("system_please_choose") + I18nUtil.getString("jobinfo_job"));
-		}
+		}*/
 
 		// parse param
 		Date triggerTimeStart = null;
  • xxl-job-admin/src/main/resources/mapper/XxlJobLogMapper.xml+2 2 modified
    @@ -48,7 +48,7 @@
 		SELECT <include refid="Base_Column_List" />
 		FROM xxl_job_log AS t
 		<trim prefix="WHERE" prefixOverrides="AND | OR" >
-			<if test="jobId==0 and jobGroup gt 0">
+			<if test="jobGroup gt 0">
 				AND t.job_group = #{jobGroup}
 			</if>
 			<if test="jobId gt 0">
@@ -82,7 +82,7 @@
 		SELECT count(1)
 		FROM xxl_job_log AS t
 		<trim prefix="WHERE" prefixOverrides="AND | OR" >
-			<if test="jobId==0 and jobGroup gt 0">
+			<if test="jobGroup gt 0">
 				AND t.job_group = #{jobGroup}
 			</if>
 			<if test="jobId gt 0">
  • xxl-job-admin/src/main/resources/templates/biz/log.list.ftl+1 2 modified
    @@ -37,12 +37,11 @@
 						<div class="input-group">
 							<span class="input-group-addon">${I18n.jobinfo_job}</span>
 							<select class="form-control" id="jobId" >
+								<option value="0" >${I18n.system_all}</option>
 								<#if jobInfoList?size gt 0>
 									<#list jobInfoList as jobItem>
 										<option value="${jobItem.id}" >${jobItem.jobDesc}</option>
 									</#list>
-								<#else>
-									<option value="0" >${I18n.system_selected_nothing}</option>
 								</#if>
 							</select>
 						</div>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.