Is there a public PoC exploit available for CVE-2026-11502?

Yes, a public proof-of-concept exploit is available for CVE-2026-11502. Prioritise patching immediately. EPSS: 0.0%.

JeecgBoot CVE-2026-11502

Q: What is the CVSS score of CVE-2026-11502?

CVE-2026-11502 has a CVSS 4.0 base score of 1.3 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-35037 LOW

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-06-08 VulDB

GHSA-2r69-34r8-6c68

Open Redirect Java

1.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.3 LOW

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 13:42 vuln.today

CVSS changed

Jun 08, 2026 - 10:22 NVD

3.1 (LOW) 1.3 (LOW)

CVE Published

Jun 08, 2026 - 09:30 nvd

LOW 1.3

DescriptionCVE.org

A weakness has been identified in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The project replied: "After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects."

AnalysisAI

Open redirect in JeecgBoot's ThirdLoginController (versions 3.9.0-3.9.2) allows remote attackers to manipulate the OAuth state parameter and redirect victims to attacker-controlled URLs via the third-party login flow. The vendor's own assessment confirms low real-world exploitability: successful exploitation requires social engineering to induce victims into clicking a crafted OAuth login link, and the affected third-party login feature (DingTalk, WeChat) is optional and likely disabled in most deployments. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify JeecgBoot instance with third-party OAuth login enabled

Delivery

Craft OAuth login URL with malicious state parameter targeting attacker-controlled domain

Exploit

Deliver link to victim via phishing or social engineering

Execution

Victim clicks link and completes DingTalk/WeChat authentication

Persist

Application calls sendRedirect with unvalidated state parameter

Impact

Victim redirected to attacker-controlled phishing site

Access

Identify JeecgBoot instance with third-party OAuth login enabled

Delivery

Craft OAuth login URL with malicious state parameter targeting attacker-controlled domain

Exploit

Deliver link to victim via phishing or social engineering

Execution

Victim clicks link and completes DingTalk/WeChat authentication

Persist

Application calls sendRedirect with unvalidated state parameter

Impact

Victim redirected to attacker-controlled phishing site

Vulnerability AssessmentAI

Exploitation	The third-party login feature - specifically the DingTalk, WeChat, or equivalent OAuth provider integration - must be explicitly enabled in the JeecgBoot deployment; the vendor states this is optional and likely inactive in most projects, which substantially limits the affected population. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 score of 1.3 is among the lowest assignable, and the vector encodes multiple compounding mitigants: High Attack Complexity (AC:H), passive user interaction required (UI:P), no confidentiality impact, and only Low integrity impact to the vulnerable system (VI:L) with zero impact to subsequent systems (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a JeecgBoot instance with DingTalk or WeChat login enabled, constructs a legitimate-looking OAuth login URL with the `state` parameter set to redirect to a credential-harvesting site, and distributes this link via a phishing email targeting the organization's employees. When a victim clicks the link and completes authentication with their DingTalk or WeChat credentials, the application's unvalidated `sendRedirect` call sends them to the attacker's site rather than the JeecgBoot dashboard. …
Remediation	No vendor-released patched version is confirmed from available data - the GitHub issue at https://github.com/jeecgboot/JeecgBoot/issues/9639 documents vendor acknowledgment and response, but no tagged release with a fix has been referenced in the provided intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-45566 MEDIUM This Month

6.1 Jun 10

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authent

CVE-2026-50089 MEDIUM This Month

6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara

CVE-2026-10837 MEDIUM This Month

5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM This Month