Is there a public PoC exploit available for CVE-2025-7864?

Yes, a public proof-of-concept exploit is available for CVE-2025-7864. Prioritise patching immediately. EPSS: 0.1%.

Is there a patch available for CVE-2025-7864?

Yes, a patch is available for CVE-2025-7864. Update the affected software to the latest version immediately.

JeeSite CVE-2025-7864

Q: What is the CVSS score of CVE-2025-7864?

CVE-2025-7864 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Access Control (CWE-284)

2025-07-20 cna@vuldb.com

Java Authentication Bypass File Upload Jeesite

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:22 vuln.today

DescriptionCVE.org

A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been classified as critical. This affects the function Upload of the file src/main/java/com/jeesite/modules/file/web/FileUploadController.java. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue.

AnalysisAI

Unrestricted file upload in JeeSite up to version 5.12.0 allows authenticated remote attackers to upload arbitrary files via the FileUploadController, potentially leading to remote code execution or data exfiltration. The vulnerability has a publicly disclosed proof-of-concept and is classified as critical despite a low CVSS 4.0 score of 2.1, indicating that the CVSS vector (requiring authenticated access and limited scope of impact) does not fully reflect the practical severity of unrestricted file upload capabilities in a web application context.

Technical ContextAI

The vulnerability exists in the file upload handling mechanism of JeeSite, specifically in the Upload function of FileUploadController.java (src/main/java/com/jeesite/modules/file/web/FileUploadController.java). JeeSite is a Java-based web application framework. The root cause relates to CWE-284 (Improper Access Control), indicating insufficient validation or authorization checks on uploaded file content, type, location, or naming. The upload functionality fails to properly restrict which file types or destinations are allowed, enabling attackers to bypass intended security controls and place malicious files (such as executable code, JSP shells, or web scripts) in locations where they can be executed or accessed by the application server.

RemediationAI

Apply the vendor-released patch from commit 3585737d21fe490ff6948d913fcbd8d99c41fc08 (https://github.com/thinkgem/jeesite5/commit/3585737d21fe490ff6948d913fcbd8d99c41fc08) to address the unrestricted upload vulnerability. If a formal release version incorporating this patch is available, upgrade to that version; otherwise, cherry-pick the commit or rebuild from the patched source. As a compensating control prior to patching, restrict file upload functionality by disabling or removing access to the FileUploadController endpoint if not actively required by business operations, or implement strict network access controls limiting the upload endpoint to trusted internal networks and removing external/public access. Additionally, configure the web server and application to prevent execution of uploaded files in the upload directory by setting appropriate file permissions (remove execute bits) and web server directives (e.g., disable script execution in upload directories via .htaccess, nginx location blocks, or Tomcat security manager policies). Validate that uploaded files are stored outside the web root or in a dedicated non-executable directory. These controls reduce the immediate impact from file upload to remote code execution but do not eliminate the underlying vulnerability; patching remains the primary remediation.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

CVE-2025-7864 vulnerability details – vuln.today

Back