Skip to main content

JeecgBoot EUVDEUVD-2026-33601

| CVE-2026-10239 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-01 cna@vuldb.com GHSA-gg5c-v856-2rjp
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:34 vuln.today

DescriptionCVE.org

A vulnerability was determined in JeecgBoot up to 3.9.2. The affected element is the function WordUtil.addImage of the file /airag/word/edit. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. A fix is planned for the upcoming release.

AnalysisAI

Server-side request forgery in JeecgBoot up to version 3.9.2 allows remote authenticated attackers to induce the server to issue arbitrary outbound HTTP requests via the WordUtil.addImage function at the /airag/word/edit endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible, low-complexity exploitation requiring only low-privilege credentials with no user interaction needed. Publicly available exploit code exists (E:P in CVSS vector; publicly disclosed per description), and no vendor-released patch has been issued at time of analysis - only a fix planned for an upcoming release.

Technical ContextAI

JeecgBoot is a Java-based open-source low-code development platform widely used for rapid enterprise application development. The vulnerable component is the WordUtil.addImage function, invoked via the /airag/word/edit endpoint (part of the AI RAG word-editing feature). CWE-918 (Server-Side Request Forgery) indicates the root cause: user-supplied input - likely a URL for an image to embed in a Word document - is passed to a server-side HTTP client without adequate validation or allowlisting. This enables the server to act as a proxy, issuing requests on behalf of the attacker to targets the attacker cannot reach directly, such as internal cloud metadata services, internal APIs, or non-internet-facing hosts. The CVSS scope metrics (SC:N/SI:N/SA:N) suggest the confirmed impact is limited to the vulnerable system's own confidentiality, integrity, and availability at low severity, though SSRF primitives frequently enable further lateral movement depending on the network environment.

RemediationAI

No vendor-released patch has been issued for this vulnerability at time of analysis - the vendor has stated a fix is planned for an upcoming release. Monitor the JeecgBoot GitHub repository (https://github.com/jeecgboot/JeecgBoot/) and issue tracker (https://github.com/jeecgboot/JeecgBoot/issues/9610) for a patched release. Until a patch is available, apply the following compensating controls in order of preference: First, restrict access to the /airag/word/edit endpoint via network-layer controls or application firewall rules so that only trusted, identified users can reach it - note this limits functionality for legitimate users of the AI RAG word feature. Second, implement egress filtering on the JeecgBoot server host to block outbound HTTP/HTTPS requests to internal RFC-1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and cloud metadata endpoints (169.254.169.254) - this is the most impactful control for limiting SSRF blast radius but requires firewall or iptables rule changes that must be tested for operational impact. Third, if the /airag/word/edit feature is not required by your organization, disable or remove it entirely.

Share

EUVD-2026-33601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy