VYPR

Vendor CVEs

jshERP

All CVEs

31 total · sorted by risk
  • CVE-2024-24003CriFeb 8, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload…

  • CVE-2024-24004CriFeb 7, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to…

  • CVE-2024-24002CriFeb 7, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to…

  • CVE-2024-24001CriFeb 7, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to SQL Injection. via the com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findallocationDetail() function of jshERP which allows an attacker to construct malicious payload to bypass jshERP's protection mechanism.

  • CVE-2024-24000CriFeb 6, 2024
    risk 0.64cvss 9.8epss 0.01

    jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths.

  • CVE-2023-48894MedNov 30, 2023
    risk 0.42cvss 6.5epss 0.01

    Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter function.

  • CVE-2026-1546MedJan 28, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the…

  • CVE-2025-8839MedAug 11, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to…

  • CVE-2026-11467MedJun 8, 2026
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in jishenghua jshERP up to 3.6. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such…

  • CVE-2025-8840MedAug 11, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The…

  • CVE-2025-7947MedJul 22, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack…

  • CVE-2026-8320MedMay 11, 2026
    risk 0.31cvss 4.7epss 0.00

    A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the component updatePlatformConfigByKey Endpoint. Such manipulation of the…

  • CVE-2025-7566MedJul 14, 2025
    risk 0.31cvss 4.7epss 0.01

    A vulnerability has been found in jshERP up to 3.5 and classified as critical. This vulnerability affects the function exportExcelByParam of the file /src/main/java/com/jsh/erp/controller/SystemConfigController.java. The manipulation of the argument Title leads to path…

  • CVE-2026-1549MedJan 28, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path…

  • CVE-2025-7948MedJul 22, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has…

  • CVE-2026-11469MedJun 8, 2026
    risk 0.24cvss 4.7epss 0.00

    A flaw has been found in jishenghua jshERP up to 3.6. Impacted is the function insertPlatformConfig of the file jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java of the component platformConfig Add Endpoint. Executing a manipulation of the argument…

  • CVE-2026-1588LowJan 29, 2026
    risk 0.18cvss 2.7epss 0.01

    A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in…

  • CVE-2025-67341Dec 12, 2025
    risk 0.00cvss epss 0.00

    jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.

  • CVE-2025-67344Dec 12, 2025
    risk 0.00cvss epss 0.00

    jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.

  • CVE-2025-51743Nov 25, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.

  • CVE-2025-51744Nov 25, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.

  • CVE-2025-51745Nov 25, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.

  • CVE-2025-51746Nov 25, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.

  • CVE-2025-51742Nov 25, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.

  • CVE-2025-60800Oct 28, 2025
    risk 0.00cvss epss 0.00

    Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request.

  • CVE-2025-60801Oct 24, 2025
    risk 0.00cvss epss 0.00

    jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.

  • CVE-2025-55366Aug 21, 2025
    risk 0.00cvss epss 0.00

    Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack.

  • CVE-2025-55371Aug 21, 2025
    risk 0.00cvss epss 0.00

    Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method.

  • CVE-2025-55370Aug 21, 2025
    risk 0.00cvss epss 0.00

    Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value.

  • CVE-2025-55367Aug 21, 2025
    risk 0.00cvss epss 0.00

    Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.

  • CVE-2025-55368Aug 21, 2025
    risk 0.00cvss epss 0.00

    Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.