VYPR

Vendor CVEs

Jeecg

All CVEs

73 total · sorted by risk
  • CVE-2024-48307Oct 31, 2024
    risk 0.07cvss epss 0.44

    JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.

  • CVE-2023-4450Aug 21, 2023
    risk 0.07cvss epss 0.11

    A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit…

  • CVE-2023-49442Jan 3, 2024
    risk 0.04cvss epss 0.39

    Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request.

  • CVE-2020-23083May 3, 2021
    risk 0.01cvss epss 0.04

    Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload".

  • CVE-2026-36418Jun 17, 2026
    risk 0.00cvss epss 0.00

    JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing…

  • CVE-2026-2555Feb 16, 2026
    risk 0.00cvss epss 0.00

    A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to…

  • CVE-2025-66913Jan 8, 2026
    risk 0.00cvss epss 0.01

    JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A different…

  • CVE-2025-15121Dec 28, 2025
    risk 0.00cvss epss 0.00

    A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about…

  • CVE-2025-61188Oct 1, 2025
    risk 0.00cvss epss 0.00

    Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.

  • CVE-2025-61189Oct 1, 2025
    risk 0.00cvss epss 0.00

    Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory…

  • CVE-2025-51825Aug 22, 2025
    risk 0.00cvss epss 0.00

    JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/cgreport/head/parseSql endpoint, which allows bypassing SQL blacklist restrictions.

  • CVE-2025-8963Aug 14, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was determined in jeecgboot JimuReport up to 2.1.1. Affected by this issue is some unknown functionality of the file /drag/onlDragDataSource/testConnection of the component Data Large Screen Template. The manipulation leads to deserialization. The attack may be…

  • CVE-2025-4533May 11, 2025
    risk 0.00cvss epss 0.01

    A vulnerability classified as problematic was found in JeecgBoot up to 3.8.0. This vulnerability affects the function unzipFile of the file /jeecg-boot/airag/knowledge/doc/import/zip of the component Document Library Upload. The manipulation of the argument File leads to…

  • CVE-2024-44893Sep 10, 2024
    risk 0.00cvss epss 0.01

    An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request.

  • CVE-2023-6307Nov 27, 2023
    risk 0.00cvss epss 0.01

    A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched…

  • CVE-2023-40989Sep 22, 2023
    risk 0.00cvss epss 0.02

    SQL injection vulnerbility in jeecgboot jeecg-boot v 3.0, 3.5.3 that allows a remote attacker to execute arbitrary code via a crafted request to the report/jeecgboot/jmreport/queryFieldBySql component.

  • CVE-2023-34603Jun 19, 2023
    risk 0.00cvss epss 0.01

    JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictInfo at org.jeecg.modules.api.controller.SystemApiController.

  • CVE-2022-45205Nov 25, 2022
    risk 0.00cvss epss 0.01

    Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.

  • CVE-2022-2647Aug 4, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in jeecg-boot. It has been declared as critical. This vulnerability affects unknown code of the file /api/. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the…

  • CVE-2022-22881Feb 16, 2022
    risk 0.00cvss epss 0.01

    Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData.

  • CVE-2021-46089Jan 25, 2022
    risk 0.00cvss epss 0.02

    In JeecgBoot 3.0, there is a SQL injection vulnerability that can operate the database with root privileges.

  • CVE-2020-20948Dec 27, 2021
    risk 0.00cvss epss 0.01

    An arbitrary file download vulnerability in jeecg v3.8 allows attackers to access sensitive files via modification of the "localPath" variable.

  • CVE-2020-28087Aug 6, 2021
    risk 0.00cvss epss 0.02

    A SQL injection vulnerability in /jeecg boot/sys/dict/loadtreedata of jeecg-boot CMS 2.3 allows attackers to access sensitive database information.

Page 2 of 2