Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release.
AnalysisAI
Server-side request forgery in JeecgBoot up to version 3.9.1 affects the checkPathTraversalBatch function in FileDownloadUtils.java within the LoadFile endpoint. Authenticated remote attackers can manipulate the files argument to trigger SSRF, allowing them to make unauthorized requests to internal or external resources. Publicly disclosed exploit code exists, and the vendor has confirmed the issue with a fix promised in an upcoming release.
Technical ContextAI
JeecgBoot is a Java-based open-source low-code development platform. The vulnerability lies in insufficient validation of the files parameter in the FileDownloadUtils.checkPathTraversalBatch method used by the LoadFile endpoint. CWE-918 (Server-Side Request Forgery) indicates the vulnerability allows an attacker to cause the server to make unintended requests. The LoadFile endpoint is a file download handler that processes user-supplied file paths; the path traversal check is bypassable via specially crafted file arguments, enabling the attacker to reference arbitrary URLs or internal network resources rather than local filesystem paths.
RemediationAI
Upgrade JeecgBoot to a patched version released after 3.9.1 when the vendor publishes it; the exact fix version is not yet publicly available but the vendor has committed to releasing a patch. Until a patched release is available, implement immediate compensating controls: restrict access to the LoadFile endpoint to trusted internal networks using firewall rules or application-level access controls; disable the LoadFile endpoint if it is not actively used; implement strict input validation on the files parameter to reject absolute paths, URLs with schemes (http://, https://, file://), and path traversal sequences before the existing checkPathTraversalBatch function is invoked; enable network egress filtering to prevent the server from making outbound requests to unexpected destinations (allowlist only required upstream services); monitor LoadFile endpoint access logs for suspicious file parameter patterns or requests to internal IP ranges. Each control has trade-offs: network egress filtering may break legitimate functionality if the application intentionally makes outbound requests; input validation could be bypassed if encoding or normalization is insufficient. Monitor the GitHub issue thread (https://github.com/jeecgboot/JeecgBoot/issues/9553) and official vendor advisories for patch release announcements.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26738