Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 3.9.2 is sufficient to resolve this issue. Upgrading the affected component is recommended.
AnalysisAI
Improper access control in JeecgBoot versions up to 3.9.1 allows low-privileged authenticated remote users to interact with the /sys/comment/add endpoint beyond their assigned permission level, resulting in low-impact confidentiality, integrity, and availability effects. The CVSS 4.0 score of 2.1 reflects a narrow blast radius with no subsequent system compromise, but a publicly available proof-of-concept (E:P) elevates the likelihood of opportunistic exploitation on internet-facing deployments. No active exploitation has been confirmed by CISA KEV at time of analysis.
Technical ContextAI
JeecgBoot is a Java-based low-code rapid development platform built on Spring Boot, MyBatisPlus, and Ant Design Vue, widely used for enterprise CRUD and workflow automation. The affected function resides in /sys/comment/add, a backend API endpoint responsible for comment creation. CWE-266 (Incorrect Privilege Assignment) identifies the root cause: the access control logic fails to correctly validate the privilege level of the requesting user, allowing a lower-privileged role to perform actions restricted to higher-privileged users. The CVSS 4.0 vector confirms network reachability (AV:N), low attack complexity (AC:L), no attack requirements beyond a basic account (PR:L), and no user interaction (UI:N). No CPE strings were provided in the input data; the affected product range is identified solely from NVD and VulDB reporting as JeecgBoot up to and including version 3.9.1.
RemediationAI
Upgrade to JeecgBoot version 3.9.2, which the vendor confirms resolves this access control issue (https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2). This release is a major version upgrade that also patches several additional high-severity vulnerabilities in the same codebase, including SSRF in the AI poster feature (#9579), an AI attachment path traversal (#9519), cross-tenant writes in AiragApp (#9462), token privilege escalation (#9518), and a remote code execution issue (#9335) - upgrade is strongly recommended on those grounds alone. If immediate upgrade is not feasible, restrict access to the /sys/comment/add endpoint at the reverse proxy or WAF layer to limit requests to authenticated internal users only, and disable self-registration if enabled to prevent unauthenticated account creation that could lower the bar for exploitation. Note that endpoint-level blocking will break comment creation functionality for all users until the patch is applied.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31990
GHSA-27f4-gxm8-q49q