Skip to main content

JeeSite EUVDEUVD-2026-26396

| CVE-2026-36762 HIGH
Path Traversal (CWE-22)
2026-04-30 mitre
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 18:22 vuln.today
CVSS changed
May 04, 2026 - 18:22 NVD
8.8 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 18:00 euvd
EUVD-2026-26396
Analysis Generated
Apr 30, 2026 - 18:00 vuln.today
CVE Published
Apr 30, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations.

AnalysisAI

Path traversal in JeeSite v5.15.1's file upload endpoint allows authenticated users with file upload permissions to write arbitrary files to any filesystem location, enabling remote code execution by uploading malicious files (e.g., JSP webshells) outside intended directories. The vulnerability exists in the fileEntityId parameter of /a/file/upload, bypassing directory restrictions while respecting file extension whitelists. EPSS score of 0.01% (3rd percentile) indicates low predicted exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, though vendor issue tracker discussion provides technical details that could facilitate POC development.

Technical ContextAI

JeeSite is a Java-based rapid development platform built on Spring Boot, commonly used for enterprise content management and administrative systems. This vulnerability manifests as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in the file upload handling component. The /a/file/upload endpoint processes the fileEntityId parameter without proper path canonicalization or traversal sequence filtering, allowing authenticated users to inject directory traversal sequences (../) to escape the intended upload directory. While file extension validation remains intact (preventing upload of arbitrary extensions), attackers can still write whitelisted file types (such as .jsp, .jspx, or image formats with embedded code) to sensitive locations like webroot directories or configuration paths. The Spring Boot framework's default servlet mapping and file serving behavior can then execute uploaded JSP files if placed in accessible web directories, converting the path traversal into remote code execution.

RemediationAI

Upgrade JeeSite to version 5.15.2 or later when vendor releases patched version addressing GitHub issue #529 (https://github.com/thinkgem/jeesite/issues/529 - monitor for resolution commits). As of this analysis, no released patched version is independently confirmed; security teams should subscribe to the GitHub repository's security notifications and issue tracker for updates. Compensating controls until patch availability: (1) Restrict file upload permissions to only essential administrator accounts through JeeSite's role management, reducing attack surface by limiting who can invoke the vulnerable endpoint - trade-off is reduced operational flexibility for content managers. (2) Implement web application firewall (WAF) rules to detect and block requests containing directory traversal sequences (../, ..\, URL-encoded variants %2e%2e%2f) in fileEntityId parameter - may cause false positives if legitimate file identifiers contain periods. (3) Configure servlet container (Tomcat/Jetty) to prevent execution of JSP files in upload directories through security constraints in web.xml or deny scriptlet execution - this limits RCE but allows arbitrary file write to other locations. (4) Deploy file integrity monitoring on JeeSite installation directories to detect unauthorized file modifications outside expected upload paths. Verify vendor advisory at https://github.com/thinkgem/jeesite for official remediation guidance.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

EUVD-2026-26396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy