CVE-2025-9264
published 2025-08-21CVE-2025-9264: A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file…
PriorityP431medium5.4CVSS 3.1
AVNACLPRLUINSUCNILAL
EPSS
0.31%
23.1th percentile
A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xuxueli | xxl-job | <= 3.1.1 | — |
| xuxueli | xxl-job | — | — |
| xuxueli | xxl-job | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter
ghsa·2025-08-21
CVE-2025-9264 [LOW] CWE-639 xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter
xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter
A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
GHSA
GHSA-gjx6-h8hm-c9rq: A vulnerability was found in Xuxueli xxl-job up to 3
ghsa_unreviewed·2025-08-21
CVE-2025-9264 [MEDIUM] CWE-639 GHSA-gjx6-h8hm-c9rq: A vulnerability was found in Xuxueli xxl-job up to 3
A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-21
Published