Is there a public PoC exploit available for CVE-2025-7788?

Yes, a public proof-of-concept exploit is available for CVE-2025-7788. Prioritise patching immediately. EPSS: 0.7%.

Xuxueli xxl-job CVE-2025-7788

Q: What is the CVSS score of CVE-2025-7788?

CVE-2025-7788 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.7%.

LOW

Command Injection (CWE-77)

2025-07-18 cna@vuldb.com

Command Injection Xxl Job

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:21 vuln.today

DescriptionCVE.org

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1 and classified as critical. Affected by this vulnerability is the function commandJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

OS command injection in Xuxueli xxl-job up to version 3.1.1 allows authenticated remote attackers to execute arbitrary operating system commands via the commandJobHandler function in SampleXxlJob.java. The vulnerability has a publicly available exploit and is rated critical by the discoverer, though the CVSS 4.0 score of 2.1 reflects limited scope (authenticated access required, low confidentiality/integrity/availability impact). With EPSS at 0.71% (72nd percentile), real-world exploitation probability is low despite public POC availability.

Technical ContextAI

xxl-job is a distributed job scheduling platform written in Java. The vulnerability exists in the SampleXxlJob.java file's commandJobHandler function, which processes job execution commands. CWE-77 (Improper Neutralization of Special Elements used in a Command-'Command Injection') indicates that user-supplied input is passed unsanitized to OS command execution APIs (likely Runtime.exec() or ProcessBuilder in Java). The CPE data (cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*) indicates all versions up to 3.1.1 are affected. The vulnerability resides in job handler logic, suggesting it may be triggered during scheduled job execution or job parameter submission.

RemediationAI

Upgrade Xuxueli xxl-job to a patched version above 3.1.1 once released by the vendor; however, no confirmed fix version is available in the provided data. As an interim control, restrict job submission and parameter editing permissions to trusted administrators only via role-based access control (RBAC) in the xxl-job console-this eliminates the attack vector if job commands are not user-supplied. Additionally, implement OS-level command injection defenses: disable shell metacharacters (|, &, $, backticks, semicolons) in job parameter input validation, or use allowlisting for permitted command patterns. Monitor the official GitHub repository (https://github.com/xuxueli/xxl-job) and issue #3750 for patch availability and workaround details. Trade-off: strict parameter validation may break legitimate dynamic job configurations; consider allowlisting known safe patterns rather than blocklisting.

CVE-2025-7788 vulnerability details – vuln.today

Back