CVE-2024-40489 - Vulnerability Details

Description

There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests.

Published: 2026-04-01

Score: 9.8 Critical

EPSS: 1.2% Low

KEV: No

Impact:

Action:

Analysis

Impact

Jeecg Boot is vulnerable to a code injection flaw that lets an attacker execute arbitrary commands on the server. The weakness stems from insufficient character filtering in user‑supplied input, allowing specially crafted HTTP requests to be treated as executable code within the Java Virtual Machine. Compromise would grant full control over that instance, jeopardizing all data and services handled by the application.

Affected Systems

This vulnerability affects Jeecg Boot releases from version 3.0.0 through 3.5.3, inclusive. Any deployment of these versions that is reachable via HTTP is potentially exposed. No other products or earlier or later versions are currently known to be impacted.

Risk and Exploitability

The baseline CVSS score of 9.8 indicates extremely high severity, while the EPSS score below 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to send a crafted HTTP request to a vulnerable endpoint; the description does not specify required authentication, so the endpoint could be publicly accessible or may require valid credentials. In either case, an attacker can execute arbitrary code remotely if the endpoint is reachable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:jeecg:jeecg_boot:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Jeecg

Jeecgboot

80%

Version	Status	Scheme	Platform
`[3.0.0,3.5.3]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Jeecg Boot release newer than 3.5.3 to eliminate the flaw.
If an upgrade is not possible, tighten input validation by rejecting characters outside a strict whitelist to mitigate injection attempts.
Deploy a web application firewall or similar perimeter protection to inspect and drop malformed or potentially malicious requests before they reach the application.
Restrict exposure of the vulnerable system to trusted IP ranges or place it behind a VPN or internal network segment to reduce attack surface.
Enable detailed logging and actively monitor HTTP traffic for unusual patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on April 6, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01164.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://gist.github.com/aqyoung/2fd6329ceb06b731a621356921f0d5f0
https://pan.baidu.com/s/14WOPXhRHoxr4FRKGme59ug?pwd=sktp

History

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Title	Injection Vulnerability Allowing Arbitrary Code Execution in Jeecg Boot

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jeecg jeecg Boot
CPEs		cpe:2.3:a:jeecg:jeecg_boot::::::::
Vendors & Products		Jeecg jeecg Boot

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jeecg Jeecg jeecgboot
Vendors & Products		Jeecg Jeecg jeecgboot

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title		Injection Vulnerability Allowing Arbitrary Code Execution in Jeecg Boot

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests.
Weaknesses		CWE-94
References		https://gist.github.com/aqyoung/2fd6329ceb06b731a621356921f0d5f0 https://pan.baidu.com/s/14WOPXhRHoxr4FRKGme59ug?pwd=sktp
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Jeecg Jeecg Boot Jeecgboot

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-01T00:00:00.000Z

Updated: 2026-04-01T19:24:05.109Z

Reserved: 2024-07-05T00:00:00.000Z

Link: CVE-2024-40489

Vulnrichment

Updated: 2026-04-01T19:22:56.495Z

NVD

Status : Analyzed

Published: 2026-04-01T17:16:57.070

Modified: 2026-04-06T15:35:16.850

Link: CVE-2024-40489

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T08:07:51Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object