EUVD-2026-20858
GHSA-883j-v822-6wwv
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionNVD
A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirmed the issue and will provide a fix in the upcoming release.
AnalysisAI
Code injection in JimuReport's Data Source Handler allows authenticated high-privilege users to execute arbitrary code via manipulated dbUrl parameters in the DriverManager.getConnection function (versions up to 2.3.0). The vulnerability requires high-privilege authentication but can be exploited remotely with low attack complexity; publicly available exploit code exists and the vendor has acknowledged the issue with a fix planned for an upcoming release.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today