CRITICAL🇵🇱 Wersja polska

CVE-2024-43028

CVSS 9.8v3.1pub. 2026-04-01upd. 2026-04-06

A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request.

🤖 AI Analysis
How it works

The vulnerability is located in the /jmreport/show endpoint accessible over the network. An attacker can send a crafted HTTP request containing a malicious payload that is passed to the system command interpreter without proper validation or sanitization of input data (CWE-77 — improper neutralization of special elements used in a command). As a result, arbitrary system commands are executed with the privileges of the application process.

Impact

An attacker without any authentication can remotely execute arbitrary code on the server, leading to complete system takeover, data breach, and the ability to disrupt application functionality.

Mitigation & patch

Apply patches available from the vendor according to the references. Urgent update to a version newer than v3.5.3 is recommended, and until the update is applied, restrict access to the /jmreport/show endpoint at the firewall or reverse proxy level, especially for unauthenticated users.

Who is affected

Jeecg Boot versions from v3.0.0 to v3.5.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jeecg Boot

    APP
    Jeecg
    3.0 – 3.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-40489CRITICAL9.8PL ✓ten sam produkt

Injection/RCE w Jeecg Boot 3.0.0–3.5.3 przez niedostateczne filtrowanie znaków

CVE-2024-48307CRITICAL9.8PL ✓ten sam produkt

SQL Injection w JeecgBoot przez endpoint getTotalData

CVE-2023-41543CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych

CVE-2023-41542CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych

CVE-2023-41544CRITICAL9.8PL ✓ten sam produkt

RCE poprzez SSTI injection w Jeecg Boot — komponent /jmreport/loadTableData