Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations.
AnalysisAI
Path traversal in JeeSite v5.15.1's file upload endpoint allows authenticated users with file upload permissions to write arbitrary files to any filesystem location, enabling remote code execution by uploading malicious files (e.g., JSP webshells) outside intended directories. The vulnerability exists in the fileEntityId parameter of /a/file/upload, bypassing directory restrictions while respecting file extension whitelists. EPSS score of 0.01% (3rd percentile) indicates low predicted exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, though vendor issue tracker discussion provides technical details that could facilitate POC development.
Technical ContextAI
JeeSite is a Java-based rapid development platform built on Spring Boot, commonly used for enterprise content management and administrative systems. This vulnerability manifests as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in the file upload handling component. The /a/file/upload endpoint processes the fileEntityId parameter without proper path canonicalization or traversal sequence filtering, allowing authenticated users to inject directory traversal sequences (../) to escape the intended upload directory. While file extension validation remains intact (preventing upload of arbitrary extensions), attackers can still write whitelisted file types (such as .jsp, .jspx, or image formats with embedded code) to sensitive locations like webroot directories or configuration paths. The Spring Boot framework's default servlet mapping and file serving behavior can then execute uploaded JSP files if placed in accessible web directories, converting the path traversal into remote code execution.
RemediationAI
Upgrade JeeSite to version 5.15.2 or later when vendor releases patched version addressing GitHub issue #529 (https://github.com/thinkgem/jeesite/issues/529 - monitor for resolution commits). As of this analysis, no released patched version is independently confirmed; security teams should subscribe to the GitHub repository's security notifications and issue tracker for updates. Compensating controls until patch availability: (1) Restrict file upload permissions to only essential administrator accounts through JeeSite's role management, reducing attack surface by limiting who can invoke the vulnerable endpoint - trade-off is reduced operational flexibility for content managers. (2) Implement web application firewall (WAF) rules to detect and block requests containing directory traversal sequences (../, ..\, URL-encoded variants %2e%2e%2f) in fileEntityId parameter - may cause false positives if legitimate file identifiers contain periods. (3) Configure servlet container (Tomcat/Jetty) to prevent execution of JSP files in upload directories through security constraints in web.xml or deny scriptlet execution - this limits RCE but allows arbitrary file write to other locations. (4) Deploy file integrity monitoring on JeeSite installation directories to detect unauthorized file modifications outside expected upload paths. Verify vendor advisory at https://github.com/thinkgem/jeesite for official remediation guidance.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26396