Description
A vulnerability was determined in JeecgBoot up to 3.9.2. The affected element is the function WordUtil.addImage of the file /airag/word/edit. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. A fix is planned for the upcoming release.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordUtil.addImage function in JeecgBoot up to 3.9.2 processes user‑supplied image URLs without adequate validation, enabling server‑side request forgery (SSRF). An attacker can supply an arbitrary URL, causing the server to fetch it. This can be exploited to reach internal services, exfiltrate data, or bypass access controls. The flaw is identified as CWE‑918.

Affected Systems

The vulnerability affects the JeecgBoot web application, specifically the WordUtil.addImage function located in /airag/word/edit. All installations of JeecgBoot with version 3.9.2 or earlier are affected; administrators should verify deployed versions against this threshold.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate risk. EPSS is not available and the issue is not listed in the CISA KEV catalog, but it has been publicly disclosed and can be exploited remotely. Because the flaw permits arbitrary outbound requests, the potential impact is contingent on the attacker’s ability to use the server to reach internal resources.

Generated by OpenCVE AI on June 1, 2026 at 10:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the pending patch once JeecgBoot releases a version newer than 3.9.2.
  • Restrict the application server’s outbound network traffic with firewall ACLs or a proxy so that only legitimate destinations are reachable, thereby limiting the usefulness of any SSRF attempts.
  • Implement input validation for the image URL parameter in WordUtil.addImage or temporarily disable the /airag/word/edit endpoint until a patch is applied.

Generated by OpenCVE AI on June 1, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in JeecgBoot up to 3.9.2. The affected element is the function WordUtil.addImage of the file /airag/word/edit. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. A fix is planned for the upcoming release.
Title JeecgBoot edit WordUtil.addImage server-side request forgery
First Time appeared Jeecgboot
Jeecgboot jeecgboot
Weaknesses CWE-918
CPEs cpe:2.3:a:jeecgboot:jeecgboot:*:*:*:*:*:*:*:*
Vendors & Products Jeecgboot
Jeecgboot jeecgboot
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecgboot Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T08:00:16.801Z

Reserved: 2026-05-31T09:56:40.755Z

Link: CVE-2026-10239

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T09:16:15.670

Modified: 2026-06-01T09:16:15.670

Link: CVE-2026-10239

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses