Description
A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request.
Published: 2026-04-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw in Jeecg Boot's /jmreport/show endpoint allows attackers to execute arbitrary code on the server. The weakness, classified as CWE‑77, means that specially crafted HTTP requests can insert shell commands into the server’s execution context, enabling full control over the affected host. This elevates the threat to complete compromise of confidentiality, integrity, and availability of the compromised system.

Affected Systems

The vulnerability is present in Jeecg Boot versions 3.0.0 through 3.5.3, including the open‑source distribution. Any instance of Jeecg Boot running within that version range that exposes the /jmreport/show URI to the internet or an untrusted network is susceptible to exploitation.

Risk and Exploitability

With a CVSS score of 9.8 the risk is critical. The EPSS score below 1% suggests currently low measured exploitation probability, but the lack of a current KEV listing does not reduce the impact. Attackers would need to send a crafted HTTP request to /jmreport/show to trigger the injection; no user interaction beyond reaching the endpoint is required. Given the remote nature of the vector, any exposed or unattended deployment is at high risk.

Generated by OpenCVE AI on April 6, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Jeecg Boot patch or upgrade beyond version 3.5.3 if available. If no patch is released, restrict network access to the /jmreport/show endpoint to trusted users or move it behind an internal firewall. Deploy or enable a web application firewall to validate or block suspicious input patterns targeting the endpoint. Monitor application logs for anomalous command execution attempts on the /jmreport/show route. Ensure that the underlying operating system limits shell access and that environment variables are not exposed through the API.

Generated by OpenCVE AI on April 6, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Command Injection in JEECG Boot /jmreport/show Allows Arbitrary Code Execution

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg jeecg Boot
CPEs cpe:2.3:a:jeecg:jeecg_boot:*:*:*:*:*:*:*:*
Vendors & Products Jeecg jeecg Boot

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jeecgboot
Vendors & Products Jeecg
Jeecg jeecgboot

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Command Injection in JEECG Boot /jmreport/show Allows Arbitrary Code Execution

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request.
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Jeecg Jeecg Boot Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T19:30:02.963Z

Reserved: 2024-08-05T00:00:00.000Z

Link: CVE-2024-43028

cve-icon Vulnrichment

Updated: 2026-04-01T19:28:13.303Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T17:16:57.220

Modified: 2026-04-06T15:34:18.930

Link: CVE-2024-43028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:50Z

Weaknesses