Springblade
by Chillzhuang
Source repositories
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-36765 | Hig | 0.57 | 8.8 | 0.00 | Apr 30, 2026 | An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload. | ||
| CVE-2026-36764 | Med | 0.33 | 5.0 | 0.00 | Apr 30, 2026 | A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request. | ||
| CVE-2025-70982 | 0.00 | — | 0.00 | Jan 26, 2026 | Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. | |||
| CVE-2025-70983 | 0.00 | — | 0.00 | Jan 23, 2026 | Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | |||
| CVE-2024-8023 | 0.00 | — | 0.01 | Aug 20, 2024 | A vulnerability classified as critical has been found in chillzhuang SpringBlade 4.1.0. Affected is an unknown function of the file /api/blade-system/menu/list?updatexml. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been… | |||
| CVE-2024-33332 | 0.00 | — | 0.01 | Apr 30, 2024 | An issue discovered in SpringBlade 3.7.1 allows attackers to obtain sensitive information via crafted GET request to api/blade-system/tenant. | |||
| CVE-2023-47458 | 0.00 | — | 0.01 | Jan 2, 2024 | An issue in SpringBlade v.3.7.0 and before allows a remote attacker to escalate privileges via the lack of permissions control framework. | |||
| CVE-2023-40788 | 0.00 | — | 0.01 | Sep 18, 2023 | SpringBlade <=V3.6.0 is vulnerable to Incorrect Access Control due to incorrect configuration in the default gateway resulting in unauthorized access to error logs | |||
| CVE-2022-27360 | 0.00 | — | 0.02 | May 5, 2022 | SpringBlade v3.2.0 and below was discovered to contain a SQL injection vulnerability via the component customSqlSegment. | |||
| CVE-2020-16165 | 0.00 | — | 0.01 | Jul 30, 2020 | The DAO/DTO implementation in SpringBlade through 2.7.1 allows SQL Injection in an ORDER BY clause. This is related to the /api/blade-log/api/list ascs and desc parameters. |
- risk 0.57cvss 8.8epss 0.00
An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload.
- risk 0.33cvss 5.0epss 0.00
A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request.
- CVE-2025-70982Jan 26, 2026risk 0.00cvss —epss 0.00
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
- CVE-2025-70983Jan 23, 2026risk 0.00cvss —epss 0.00
Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges.
- CVE-2024-8023Aug 20, 2024risk 0.00cvss —epss 0.01
A vulnerability classified as critical has been found in chillzhuang SpringBlade 4.1.0. Affected is an unknown function of the file /api/blade-system/menu/list?updatexml. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been…
- CVE-2024-33332Apr 30, 2024risk 0.00cvss —epss 0.01
An issue discovered in SpringBlade 3.7.1 allows attackers to obtain sensitive information via crafted GET request to api/blade-system/tenant.
- CVE-2023-47458Jan 2, 2024risk 0.00cvss —epss 0.01
An issue in SpringBlade v.3.7.0 and before allows a remote attacker to escalate privileges via the lack of permissions control framework.
- CVE-2023-40788Sep 18, 2023risk 0.00cvss —epss 0.01
SpringBlade <=V3.6.0 is vulnerable to Incorrect Access Control due to incorrect configuration in the default gateway resulting in unauthorized access to error logs
- CVE-2022-27360May 5, 2022risk 0.00cvss —epss 0.02
SpringBlade v3.2.0 and below was discovered to contain a SQL injection vulnerability via the component customSqlSegment.
- CVE-2020-16165Jul 30, 2020risk 0.00cvss —epss 0.01
The DAO/DTO implementation in SpringBlade through 2.7.1 allows SQL Injection in an ORDER BY clause. This is related to the /api/blade-log/api/list ascs and desc parameters.