Jeecg Boot vulnerabilities
56 known vulnerabilities affecting jeecg/jeecg_boot.
Total CVEs
56
CISA KEV
0
Public exploits
4
Exploited in wild
3
Severity breakdown
CRITICAL20HIGH11MEDIUM19LOW6
Vulnerabilities
Page 2 of 3
CVE-2023-42268P3CRITICALCVSS 9.8≤ 3.5.32023-09-08
CVE-2023-42268 [CRITICAL] CWE-89 CVE-2023-42268: Jeecg boot up to v3.5.3 was discovered to contain a SQL injection vulnerability via the component /j
Jeecg boot up to v3.5.3 was discovered to contain a SQL injection vulnerability via the component /jeecg-boot/jmreport/show.
nvd
CVE-2025-15126P3HIGHCVSS 7.5≤ 3.9.02025-12-28
CVE-2025-15126 [HIGH] CWE-266 CVE-2025-15126: A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the funct
A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears
nvd
CVE-2025-14908P3HIGHCVSS 8.1≤ 3.9.02025-12-19
CVE-2025-14908 [HIGH] CWE-287 CVE-2025-14908: A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown fun
A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module. Performing manipulation of the argument ID results in improper
nvd
CVE-2022-47105P3CRITICALCVSS 9.8v3.4.42023-01-19
CVE-2022-47105 [CRITICAL] CWE-89 CVE-2022-47105: Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dic
Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.
nvd
CVE-2022-45207P3CRITICALCVSS 9.8v3.4.32022-11-25
CVE-2022-45207 [CRITICAL] CWE-89 CVE-2022-45207: Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNu
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString.
nvd
CVE-2026-2555P3HIGHCVSS 7.5v3.9.12026-02-16
CVE-2026-2555 [HIGH] CWE-20 CVE-2026-2555: A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDoc
A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature
nvd
CVE-2025-14909P3HIGHCVSS 8.1≤ 3.9.02025-12-19
CVE-2025-14909 [HIGH] CWE-1018 CVE-2025-14909: A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUse
A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUserOnlineController of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. Executing manipulation can lead to manage user sessions. The attack can be launched remotely.
nvd
CVE-2022-45206P3CRITICALCVSS 9.8v3.4.32022-11-25
CVE-2022-45206 [CRITICAL] CWE-89 CVE-2022-45206: Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/dup
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check.
nvd
CVE-2020-28087P3HIGHCVSS 7.5v2.32021-08-06
CVE-2020-28087 [HIGH] CWE-89 CVE-2020-28087: A SQL injection vulnerability in /jeecg boot/sys/dict/loadtreedata of jeecg-boot CMS 2.3 allows atta
A SQL injection vulnerability in /jeecg boot/sys/dict/loadtreedata of jeecg-boot CMS 2.3 allows attackers to access sensitive database information.
nvd
CVE-2025-4533P3HIGHCVSS 7.5≤ 3.8.02025-05-11
CVE-2025-4533 [HIGH] CWE-400 CVE-2025-4533: A vulnerability classified as problematic was found in JeecgBoot up to 3.8.0. This vulnerability aff
A vulnerability classified as problematic was found in JeecgBoot up to 3.8.0. This vulnerability affects the function unzipFile of the file /jeecg-boot/airag/knowledge/doc/import/zip of the component Document Library Upload. The manipulation of the argument File leads to resource consumption. The attack can be initiated remotely. The exploit has been di
nvd
CVE-2025-10980P3MEDIUMCVSS 6.5≤ 3.8.22025-09-26
CVE-2025-10980 [MEDIUM] CWE-266 CVE-2025-10980: A security vulnerability has been detected in JeecgBoot up to 3.8.2. This affects an unknown functio
A security vulnerability has been detected in JeecgBoot up to 3.8.2. This affects an unknown function of the file /sys/position/exportXls. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but d
nvd
CVE-2025-10981P3MEDIUMCVSS 6.5≤ 3.8.22025-09-26
CVE-2025-10981 [MEDIUM] CWE-266 CVE-2025-10981: A vulnerability was detected in JeecgBoot up to 3.8.2. This impacts an unknown function of the file
A vulnerability was detected in JeecgBoot up to 3.8.2. This impacts an unknown function of the file /sys/tenant/exportXls. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd
CVE-2023-34660P3MEDIUMCVSS 6.5v3.5.0v3.5.12023-06-16
CVE-2023-34660 [MEDIUM] CWE-434 CVE-2023-34660: jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interfac
jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interface.
nvd
CVE-2025-10979P3MEDIUMCVSS 6.5≤ 3.8.22025-09-25
CVE-2025-10979 [MEDIUM] CWE-266 CVE-2025-10979: A weakness has been identified in JeecgBoot up to 3.8.2. The impacted element is an unknown function
A weakness has been identified in JeecgBoot up to 3.8.2. The impacted element is an unknown function of the file /sys/role/exportXls. This manipulation causes improper authorization. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disc
nvd
CVE-2026-2945P3MEDIUMCVSS 6.5v3.9.02026-02-22
CVE-2026-2945 [MEDIUM] CWE-918 CVE-2026-2945: A weakness has been identified in JeecgBoot 3.9.0. Affected by this vulnerability is an unknown func
A weakness has been identified in JeecgBoot 3.9.0. Affected by this vulnerability is an unknown functionality of the file /sys/common/uploadImgByHttp. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be used for att
nvd
CVE-2023-41578P3HIGHCVSS 7.5≤ 3.5.32023-09-08
CVE-2023-41578 [HIGH] CWE-22 CVE-2023-41578: Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the inter
Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.
nvd
CVE-2025-10978P3MEDIUMCVSS 6.5≤ 3.8.22025-09-25
CVE-2025-10978 [MEDIUM] CWE-266 CVE-2025-10978: A security flaw has been discovered in JeecgBoot up to 3.8.2. The affected element is an unknown fun
A security flaw has been discovered in JeecgBoot up to 3.8.2. The affected element is an unknown function of the file /sys/user/exportXls of the component Filter Handler. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contac
nvd
CVE-2025-10319P3MEDIUMCVSS 6.5≤ 3.8.22025-09-12
CVE-2025-10319 [MEDIUM] CWE-266 CVE-2025-10319: A security flaw has been discovered in JeecgBoot up to 3.8.2. Affected by this issue is some unknown
A security flaw has been discovered in JeecgBoot up to 3.8.2. Affected by this issue is some unknown functionality of the file /sys/tenant/exportLog of the component Tenant Log Export. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor
nvd
CVE-2025-61189P3MEDIUMCVSS 6.3≤ 3.8.22025-10-01
CVE-2025-61189 [MEDIUM] CWE-24 CVE-2025-61189: Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is
Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.
nvd
CVE-2025-61188P3MEDIUMCVSS 6.3≤ 3.8.22025-10-01
CVE-2025-61188 [MEDIUM] CWE-24 CVE-2025-61188: Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. This vulnerabil
Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.
nvd