Skip to main content

JeecgBoot EUVDEUVD-2026-28468

| CVE-2026-8114 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-07 cna@vuldb.com GHSA-pghv-w792-qvjg
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 22:30 vuln.today
CVE Published
May 07, 2026 - 22:16 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved."

AnalysisAI

SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the condition parameter in the /sys/dict/loadTreeData endpoint, leading to unauthorized data access with limited confidentiality impact. The vulnerability affects the JSON Object Handler component and has publicly available exploit code, though the low CVSS score (2.1) and required authentication significantly limit practical risk despite confirmed vendor awareness.

Technical ContextAI

JeecgBoot is a low-code rapid development framework for Java applications. The vulnerability exists in the /sys/dict/loadTreeData endpoint, which is part of the system dictionary management functionality. The JSON Object Handler component processes user-supplied input through the condition parameter without proper sanitization, allowing an attacker to inject arbitrary SQL code. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates insufficient input validation before SQL query construction, a classic SQL injection root cause. The attack vector is network-based, but requires prior authentication (PR:L in CVSS 4.0 vector), limiting exposure to authenticated users of the application.

RemediationAI

Upgrade JeecgBoot to a version newer than 3.9.1 immediately, as the vendor has indicated recent batch fixes but no specific patched version is publicly confirmed in the available data. Verify the fix by checking GitHub releases after version 3.9.1 or contacting the JeecgBoot maintainers directly for confirmation of the patched version. As an interim compensating control, restrict network access to the /sys/dict/loadTreeData endpoint using a Web Application Firewall (WAF) or network-level access control, allowing only trusted internal clients. Additionally, implement input validation and parameterized queries (prepared statements) if you maintain a fork or custom deployment. Monitor application logs for suspicious SQL patterns in requests to the /sys/dict endpoint. Note that WAF restrictions may impact legitimate dictionary loading functionality, so test thoroughly in a staging environment before production deployment.

Share

EUVD-2026-28468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy