CVE-2026-7305
published 2026-04-28CVE-2026-7305: A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file…
PriorityP340medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.21%
11.1th percentile
A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xuxueli | xxl-job | — | — |
| xuxueli | xxl-job | — | — |
| xuxueli | xxl-job | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j6qx-2x9m-x936: A weakness has been identified in Xuxueli xxl-job up to 3
ghsa_unreviewed·2026-04-29
CVE-2026-7305 [MEDIUM] CWE-918 GHSA-j6qx-2x9m-x936: A weakness has been identified in Xuxueli xxl-job up to 3
A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
VulDB
Xuxueli xxl-job up to 3.3.2 trigger Endpoint XxlJobServiceImpl.java triggerJob addressList server-side request forgery (Issue 3935)
vuldb·2026-04-28
CVE-2026-7305 [CRITICAL] Xuxueli xxl-job up to 3.3.2 trigger Endpoint XxlJobServiceImpl.java triggerJob addressList server-side request forgery (Issue 3935)
A vulnerability was found in Xuxueli xxl-job up to 3.3.2. It has been classified as critical. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery.
The identification of this vulnerability is CVE-2026-7305. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
There is ongoing doubt regarding the real existence of this vulnerability.
The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-28
Published