Skip to main content

Jimureport EUVD-2026-20858

| CVE-2026-5848 LOW
Code Injection (CWE-94)
2026-04-09 VulDB GHSA-883j-v822-6wwv
Code Injection RCE Jimureport
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.1 (MEDIUM) 2.0 (LOW)
PoC Detected
Apr 09, 2026 - 06:16 vuln.today
Public exploit code
EUVD ID Assigned
Apr 09, 2026 - 05:45 euvd
EUVD-2026-20858
Analysis Generated
Apr 09, 2026 - 05:45 vuln.today
CVE Published
Apr 09, 2026 - 05:15 nvd
MEDIUM 5.1

DescriptionCVE.org

A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirmed the issue and will provide a fix in the upcoming release.

AnalysisAI

Code injection in JimuReport's Data Source Handler allows authenticated high-privilege users to execute arbitrary code via manipulated dbUrl parameters in the DriverManager.getConnection function (versions up to 2.3.0). The vulnerability requires high-privilege authentication but can be exploited remotely with low attack complexity; publicly available exploit code exists and the vendor has acknowledged the issue with a fix planned for an upcoming release.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment CVSS 4.7 reflects moderate severity with network accessibility (AV:N), low attack complexity (AC:L), but critically requires high-privilege authentication (PR:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated administrator or user account with high-privilege access to JimuReport's data source configuration interface could craft a malicious dbUrl parameter containing injected code and submit it to the /drag/onlDragDataSource/testConnection endpoint. When the application processes the connection string via DriverManager.getConnection, the injected code is executed in the context of the application, potentially allowing the attacker to read sensitive configuration data, modify database queries, or escalate to full remote code execution depending on the execution environment and available Java libraries. …
Remediation Upgrade JimuReport to a version released after the vendor's confirmed fix; the exact patched version number is not specified in available data, so monitor the official repository and release notes at https://github.com/jeecgboot/jimureport/ for the next available release containing the security patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-20858 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy