VYPR
Vendor

Jumpserver

Products
1
CVEs
26
Across products
26
Status
Private

Products

1

Recent CVEs

26
View all 26 CVEs →
  • CVE-2024-29202Mar 29, 2024
    risk 0.06cvss epss 0.06

    JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with…

  • CVE-2024-29201Mar 29, 2024
    risk 0.05cvss epss 0.06

    JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root…

  • CVE-2023-42442Sep 15, 2023
    risk 0.04cvss epss 0.56

    JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud…

  • CVE-2024-24763Feb 20, 2024
    risk 0.02cvss epss 0.01

    JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site…

  • CVE-2026-31864Mar 13, 2026
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with…

  • CVE-2026-31798Mar 13, 2026
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept…

  • CVE-2025-58044Dec 1, 2025
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect…

  • CVE-2025-62795Oct 30, 2025
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the…

  • CVE-2025-62712Oct 30, 2025
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection…

  • CVE-2025-27095Mar 31, 2025
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an…

  • CVE-2024-40628Jul 18, 2024
    risk 0.00cvss epss 0.01

    JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary…

  • CVE-2024-40629Jul 18, 2024
    risk 0.00cvss epss 0.01

    JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write…

  • CVE-2024-29020Mar 29, 2024
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and an operation and maintenance security audit system. An authorized attacker can obtain sensitive information contained within playbook files if they manage to learn the playbook_id of another user. This breach of confidentiality can…

  • CVE-2024-29024Mar 29, 2024
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and an operation and maintenance security audit system. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager's bulk transfer by manipulating job IDs to upload malicious files, …

  • CVE-2023-48193Nov 28, 2023
    risk 0.00cvss epss 0.02

    Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function. NOTE: this is disputed because command filtering is not intended to restrict what code can be run by authorized users…

  • CVE-2023-46138Oct 30, 2023
    risk 0.00cvss epss 0.00

    JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently,…

  • CVE-2023-46123Oct 25, 2023
    risk 0.00cvss epss 0.01

    jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting…

  • CVE-2023-42818Sep 27, 2023
    risk 0.00cvss epss 0.01

    JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force…

  • CVE-2023-43651Sep 27, 2023
    risk 0.00cvss epss 0.02

    JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB…

  • CVE-2023-43650Sep 27, 2023
    risk 0.00cvss epss 0.01

    JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit…