cbcvebase.

Xuxueli Xxl-Job vulnerabilities

27 known vulnerabilities affecting xuxueli/xxl-job.

Total CVEs
27
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH12MEDIUM11LOW2

Vulnerabilities

Page 1 of 2
CVE-2020-23814P2MEDIUMCVSS 6.1ExploitedPoCv2.2.02020-09-03
CVE-2020-23814 [MEDIUM] CWE-79 CVE-2020-23814: Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inje Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.
nvd
CVE-2025-7788P2HIGHCVSS 8.8≤ 3.1.1v3.1.0+1 more2025-07-18
CVE-2025-7788 [HIGH] CWE-77 CVE-2025-7788: A vulnerability has been found in Xuxueli xxl-job up to 3.1.1 and classified as critical. Affected b A vulnerability has been found in Xuxueli xxl-job up to 3.1.1 and classified as critical. Affected by this vulnerability is the function commandJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed
nvd
CVE-2023-33779P3HIGHCVSS 8.8v2.4.12023-05-26
CVE-2023-33779 [HIGH] CWE-863 CVE-2023-33779: A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary com A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/.
nvd
CVE-2025-7787P3HIGHCVSS 8.8≤ 3.1.1v3.1.0+1 more2025-07-18
CVE-2025-7787 [HIGH] CWE-918 CVE-2025-7787: A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affecte A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to th
nvd
CVE-2022-40929P3CRITICALCVSS 9.8v2.2.02022-09-28
CVE-2022-40929 [CRITICAL] CWE-78 CVE-2022-40929: XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks. NOTE: this is disputed beca XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks. NOTE: this is disputed because the issues/4929 report is about an intended and supported use case (running arbitrary Bash scripts on behalf of users).
nvd
CVE-2024-3366P3CRITICALCVSS 9.8fixed in 2.4.1v2.4.0+1 more2024-04-06
CVE-2024-3366 [CRITICAL] CWE-74 CVE-2024-3366: A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerabili A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vul
nvd
CVE-2023-48089P3HIGHCVSS 8.8v2.4.02023-11-15
CVE-2023-48089 [HIGH] CVE-2023-48089: xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via /xxl-job-admin/jobcode/save. xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via /xxl-job-admin/jobcode/save.
nvd
CVE-2024-42681P3HIGHCVSS 8.8v2.4.12024-08-15
CVE-2024-42681 [HIGH] CWE-276 CVE-2024-42681: Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.
nvd
CVE-2022-36157P3HIGHCVSS 8.8≤ 2.3.12022-08-19
CVE-2022-36157 [HIGH] CWE-269 CVE-2022-36157: XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the abil XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account.
nvd
CVE-2024-24113P3HIGHCVSS 8.8≤ 2.4.12024-02-08
CVE-2024-24113 [HIGH] CWE-918 CVE-2024-24113: xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE.
nvd
CVE-2022-43183P3HIGHCVSS 8.8≤ 2.3.12022-11-17
CVE-2022-43183 [HIGH] CWE-918 CVE-2022-43183: XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/control XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.
nvd
CVE-2026-3733P3MEDIUMCVSS 6.3v3.3.0v3.3.1+1 more2026-03-08
CVE-2026-3733 [MEDIUM] CWE-918 CVE-2026-3733: A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The exploit is now public and may be used. The project maintainer
nvd
CVE-2020-24922P3HIGHCVSS 8.8v2.2.02023-08-11
CVE-2020-24922 [HIGH] CWE-352 CVE-2020-24922: Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file.
nvd
CVE-2026-7305P3MEDIUMCVSS 6.3v3.3.0v3.3.1+1 more2026-04-28
CVE-2026-7305 [MEDIUM] CWE-918 CVE-2026-7305: A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the a
nvd
CVE-2020-23811P3HIGHCVSS 7.5v2.2.02020-09-03
CVE-2020-23811 [HIGH] CVE-2020-23811: xxl-job 2.2.0 allows Information Disclosure of username, model, and password via job/admin/controlle xxl-job 2.2.0 allows Information Disclosure of username, model, and password via job/admin/controller/UserController.java.
nvd
CVE-2023-27087P3HIGHCVSS 7.5v2.2.0v2.3.0+1 more2023-03-21
CVE-2023-27087 [HIGH] CWE-280 CVE-2023-27087: Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to ob Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter.
nvd
CVE-2022-29002P3HIGHCVSS 8.8v2.3.02022-05-23
CVE-2022-29002 [HIGH] CWE-352 CVE-2022-29002: A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create adminis A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.
nvd
CVE-2026-7306P3MEDIUMCVSS 5.6v3.3.0v3.3.1+1 more2026-04-28
CVE-2026-7306 [MEDIUM] CWE-320 CVE-2026-7306: A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is a A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is
nvd
CVE-2023-0674P4MEDIUMCVSS 6.5v2.3.12023-02-04
CVE-2023-0674 [MEDIUM] CWE-352 CVE-2023-0674: A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by t A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be
nvd
CVE-2025-9264P4MEDIUMCVSS 5.4≤ 3.1.1v3.1.0+1 more2025-08-21
CVE-2025-9264 [MEDIUM] CWE-99 CVE-2025-9264: A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function rem A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possibl
nvd
Xuxueli Xxl-Job vulnerabilities | cvebase