JeecgBoot CVE-2026-3672
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to execute arbitrary SQL queries via the getDictItems API endpoint due to insufficient validation in the isExistSqlInjectKeyword function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete database contents. No patch is currently available, and public exploit code has been disclosed.
Technical ContextAI
affects A vulnerability has been found in JeecgBoot. has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Affected ProductsAI
Product: A vulnerability has been found in JeecgBoot. Versions: up to 3.9.1..
RemediationAI
Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.
Share
External POC / Exploit Code
Leaving vuln.today