CVE-2026-36418
published 2026-06-17CVE-2026-36418: JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi…
PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.47%
37.2th percentile
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvelistv5v3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
CVE-2026-36418: JimuReport versions 2
cvelistv5·2026-06-17·CVSS 9.1
CVE-2026-36418 [CRITICAL] CVE-2026-36418: JimuReport versions 2
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.
GHSA
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions.
ghsa_unreviewed·2026-06-17
CVE-2026-36418 [CRITICAL] CWE-94 JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions.
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.
VulDB
jeecgboot JimuReport up to 2.3.4 Aviator executeSelectApi privilege escalation
vuldb·2026-06-17
CVE-2026-36418 [CRITICAL] jeecgboot JimuReport up to 2.3.4 Aviator executeSelectApi privilege escalation
A vulnerability was found in jeecgboot JimuReport up to 2.3.4. It has been rated as critical. The impacted element is an unknown function of the file /jmreport/executeSelectApi of the component Aviator Handler. The manipulation leads to privilege escalation.
This vulnerability is documented as CVE-2026-36418. The attack can be initiated remotely. There is not any exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-17
Published