Vendor CVEs
Jeecg
All CVEs
73 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-48307 | 0.07 | — | 0.44 | Oct 31, 2024 | JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData. | |||
| CVE-2023-4450 | 0.07 | — | 0.11 | Aug 21, 2023 | A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit… | |||
| CVE-2023-49442 | 0.04 | — | 0.39 | Jan 3, 2024 | Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request. | |||
| CVE-2020-23083 | 0.01 | — | 0.04 | May 3, 2021 | Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload". | |||
| CVE-2026-36418 | 0.00 | — | 0.00 | Jun 17, 2026 | JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing… | |||
| CVE-2026-2555 | 0.00 | — | 0.00 | Feb 16, 2026 | A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to… | |||
| CVE-2025-66913 | 0.00 | — | 0.01 | Jan 8, 2026 | JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A different… | |||
| CVE-2025-15121 | 0.00 | — | 0.00 | Dec 28, 2025 | A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about… | |||
| CVE-2025-61188 | 0.00 | — | 0.00 | Oct 1, 2025 | Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server. | |||
| CVE-2025-61189 | 0.00 | — | 0.00 | Oct 1, 2025 | Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory… | |||
| CVE-2025-51825 | 0.00 | — | 0.00 | Aug 22, 2025 | JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/cgreport/head/parseSql endpoint, which allows bypassing SQL blacklist restrictions. | |||
| CVE-2025-8963 | 0.00 | — | 0.00 | Aug 14, 2025 | A vulnerability was determined in jeecgboot JimuReport up to 2.1.1. Affected by this issue is some unknown functionality of the file /drag/onlDragDataSource/testConnection of the component Data Large Screen Template. The manipulation leads to deserialization. The attack may be… | |||
| CVE-2025-4533 | 0.00 | — | 0.01 | May 11, 2025 | A vulnerability classified as problematic was found in JeecgBoot up to 3.8.0. This vulnerability affects the function unzipFile of the file /jeecg-boot/airag/knowledge/doc/import/zip of the component Document Library Upload. The manipulation of the argument File leads to… | |||
| CVE-2024-44893 | 0.00 | — | 0.01 | Sep 10, 2024 | An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request. | |||
| CVE-2023-6307 | 0.00 | — | 0.01 | Nov 27, 2023 | A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched… | |||
| CVE-2023-40989 | 0.00 | — | 0.02 | Sep 22, 2023 | SQL injection vulnerbility in jeecgboot jeecg-boot v 3.0, 3.5.3 that allows a remote attacker to execute arbitrary code via a crafted request to the report/jeecgboot/jmreport/queryFieldBySql component. | |||
| CVE-2023-34603 | 0.00 | — | 0.01 | Jun 19, 2023 | JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictInfo at org.jeecg.modules.api.controller.SystemApiController. | |||
| CVE-2022-45205 | 0.00 | — | 0.01 | Nov 25, 2022 | Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData. | |||
| CVE-2022-2647 | 0.00 | — | 0.01 | Aug 4, 2022 | A vulnerability was found in jeecg-boot. It has been declared as critical. This vulnerability affects unknown code of the file /api/. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the… | |||
| CVE-2022-22881 | 0.00 | — | 0.01 | Feb 16, 2022 | Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData. | |||
| CVE-2021-46089 | 0.00 | — | 0.02 | Jan 25, 2022 | In JeecgBoot 3.0, there is a SQL injection vulnerability that can operate the database with root privileges. | |||
| CVE-2020-20948 | 0.00 | — | 0.01 | Dec 27, 2021 | An arbitrary file download vulnerability in jeecg v3.8 allows attackers to access sensitive files via modification of the "localPath" variable. | |||
| CVE-2020-28087 | 0.00 | — | 0.02 | Aug 6, 2021 | A SQL injection vulnerability in /jeecg boot/sys/dict/loadtreedata of jeecg-boot CMS 2.3 allows attackers to access sensitive database information. |
- CVE-2024-48307Oct 31, 2024risk 0.07cvss —epss 0.44
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.
- CVE-2023-4450Aug 21, 2023risk 0.07cvss —epss 0.11
A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit…
- CVE-2023-49442Jan 3, 2024risk 0.04cvss —epss 0.39
Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request.
- CVE-2020-23083May 3, 2021risk 0.01cvss —epss 0.04
Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload".
- CVE-2026-36418Jun 17, 2026risk 0.00cvss —epss 0.00
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing…
- CVE-2026-2555Feb 16, 2026risk 0.00cvss —epss 0.00
A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to…
- CVE-2025-66913Jan 8, 2026risk 0.00cvss —epss 0.01
JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A different…
- CVE-2025-15121Dec 28, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about…
- CVE-2025-61188Oct 1, 2025risk 0.00cvss —epss 0.00
Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.
- CVE-2025-61189Oct 1, 2025risk 0.00cvss —epss 0.00
Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory…
- CVE-2025-51825Aug 22, 2025risk 0.00cvss —epss 0.00
JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/cgreport/head/parseSql endpoint, which allows bypassing SQL blacklist restrictions.
- CVE-2025-8963Aug 14, 2025risk 0.00cvss —epss 0.00
A vulnerability was determined in jeecgboot JimuReport up to 2.1.1. Affected by this issue is some unknown functionality of the file /drag/onlDragDataSource/testConnection of the component Data Large Screen Template. The manipulation leads to deserialization. The attack may be…
- CVE-2025-4533May 11, 2025risk 0.00cvss —epss 0.01
A vulnerability classified as problematic was found in JeecgBoot up to 3.8.0. This vulnerability affects the function unzipFile of the file /jeecg-boot/airag/knowledge/doc/import/zip of the component Document Library Upload. The manipulation of the argument File leads to…
- CVE-2024-44893Sep 10, 2024risk 0.00cvss —epss 0.01
An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request.
- CVE-2023-6307Nov 27, 2023risk 0.00cvss —epss 0.01
A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched…
- CVE-2023-40989Sep 22, 2023risk 0.00cvss —epss 0.02
SQL injection vulnerbility in jeecgboot jeecg-boot v 3.0, 3.5.3 that allows a remote attacker to execute arbitrary code via a crafted request to the report/jeecgboot/jmreport/queryFieldBySql component.
- CVE-2023-34603Jun 19, 2023risk 0.00cvss —epss 0.01
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictInfo at org.jeecg.modules.api.controller.SystemApiController.
- CVE-2022-45205Nov 25, 2022risk 0.00cvss —epss 0.01
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.
- CVE-2022-2647Aug 4, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in jeecg-boot. It has been declared as critical. This vulnerability affects unknown code of the file /api/. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the…
- CVE-2022-22881Feb 16, 2022risk 0.00cvss —epss 0.01
Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData.
- CVE-2021-46089Jan 25, 2022risk 0.00cvss —epss 0.02
In JeecgBoot 3.0, there is a SQL injection vulnerability that can operate the database with root privileges.
- CVE-2020-20948Dec 27, 2021risk 0.00cvss —epss 0.01
An arbitrary file download vulnerability in jeecg v3.8 allows attackers to access sensitive files via modification of the "localPath" variable.
- CVE-2020-28087Aug 6, 2021risk 0.00cvss —epss 0.02
A SQL injection vulnerability in /jeecg boot/sys/dict/loadtreedata of jeecg-boot CMS 2.3 allows attackers to access sensitive database information.
Page 2 of 2