VYPR

jshERP

by jshERP

Source repositories

CVEs (31)

  • CVE-2024-24003CriFeb 8, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload…

  • CVE-2024-24004CriFeb 7, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to…

  • CVE-2024-24002CriFeb 7, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to…

  • CVE-2024-24001CriFeb 7, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to SQL Injection. via the com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findallocationDetail() function of jshERP which allows an attacker to construct malicious payload to bypass jshERP's protection mechanism.

  • CVE-2024-24000CriFeb 6, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths.

  • CVE-2023-48894MedNov 30, 2023
    risk 0.42cvss 6.5epss 0.01

    Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter function.

  • CVE-2026-1546MedJan 28, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the…

  • CVE-2025-8839MedAug 11, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to…

  • CVE-2026-11467MedJun 8, 2026
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in jishenghua jshERP up to 3.6. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such…

  • CVE-2025-8840MedAug 11, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The…

  • CVE-2025-7947MedJul 22, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack…

  • CVE-2026-8320MedMay 11, 2026
    risk 0.31cvss 4.7epss 0.00

    A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the component updatePlatformConfigByKey Endpoint. Such manipulation of the…

  • CVE-2025-7566MedJul 14, 2025
    risk 0.31cvss 4.7epss 0.01

    A vulnerability has been found in jshERP up to 3.5 and classified as critical. This vulnerability affects the function exportExcelByParam of the file /src/main/java/com/jsh/erp/controller/SystemConfigController.java. The manipulation of the argument Title leads to path…

  • CVE-2026-1549MedJan 28, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path…

  • CVE-2025-7948MedJul 22, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has…

  • CVE-2026-11469MedJun 8, 2026
    risk 0.24cvss 4.7epss 0.00

    A flaw has been found in jishenghua jshERP up to 3.6. Impacted is the function insertPlatformConfig of the file jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java of the component platformConfig Add Endpoint. Executing a manipulation of the argument…

  • CVE-2026-1588LowJan 29, 2026
    risk 0.18cvss 2.7epss 0.01

    A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in…

  • CVE-2025-67341Dec 12, 2025
    risk 0.00cvss epss 0.00

    jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.

  • CVE-2025-67344Dec 12, 2025
    risk 0.00cvss epss 0.00

    jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.

  • CVE-2025-51743Nov 25, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.

Page 1 of 2