Skip to main content

JeecgBoot CVE-2026-7603

| EUVDEUVD-2026-26738 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-02 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 05:31 vuln.today
EUVD ID Assigned
May 02, 2026 - 05:22 euvd
EUVD-2026-26738
Analysis Generated
May 02, 2026 - 05:22 vuln.today
CVE Published
May 02, 2026 - 05:16 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release.

AnalysisAI

Server-side request forgery in JeecgBoot up to version 3.9.1 affects the checkPathTraversalBatch function in FileDownloadUtils.java within the LoadFile endpoint. Authenticated remote attackers can manipulate the files argument to trigger SSRF, allowing them to make unauthorized requests to internal or external resources. Publicly disclosed exploit code exists, and the vendor has confirmed the issue with a fix promised in an upcoming release.

Technical ContextAI

JeecgBoot is a Java-based open-source low-code development platform. The vulnerability lies in insufficient validation of the files parameter in the FileDownloadUtils.checkPathTraversalBatch method used by the LoadFile endpoint. CWE-918 (Server-Side Request Forgery) indicates the vulnerability allows an attacker to cause the server to make unintended requests. The LoadFile endpoint is a file download handler that processes user-supplied file paths; the path traversal check is bypassable via specially crafted file arguments, enabling the attacker to reference arbitrary URLs or internal network resources rather than local filesystem paths.

RemediationAI

Upgrade JeecgBoot to a patched version released after 3.9.1 when the vendor publishes it; the exact fix version is not yet publicly available but the vendor has committed to releasing a patch. Until a patched release is available, implement immediate compensating controls: restrict access to the LoadFile endpoint to trusted internal networks using firewall rules or application-level access controls; disable the LoadFile endpoint if it is not actively used; implement strict input validation on the files parameter to reject absolute paths, URLs with schemes (http://, https://, file://), and path traversal sequences before the existing checkPathTraversalBatch function is invoked; enable network egress filtering to prevent the server from making outbound requests to unexpected destinations (allowlist only required upstream services); monitor LoadFile endpoint access logs for suspicious file parameter patterns or requests to internal IP ranges. Each control has trade-offs: network egress filtering may break legitimate functionality if the application intentionally makes outbound requests; input validation could be bypassed if encoding or normalization is insufficient. Monitor the GitHub issue thread (https://github.com/jeecgboot/JeecgBoot/issues/9553) and official vendor advisories for patch release announcements.

Share

CVE-2026-7603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy