CVE-2026-10241 - Vulnerability Details

- jeecgboot The server processes these URLs Cloud Instance Metadata Endpoint debug FileDownloadUtils.download2DiskFromNet server-side request forgery

Description

A security flaw has been discovered in jeecgboot The server processes these URLs up to 3.9.1. This affects the function FileDownloadUtils.download2DiskFromNet of the file /airag/app/debug of the component Cloud Instance Metadata Endpoint. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.9.2 mitigates this issue. It is suggested to upgrade the affected component.

Published: 2026-06-01

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the FileDownloadUtils.download2DiskFromNet function within the /airag/app/debug component of JeecgBoot’s Cloud Instance Metadata Endpoint. By manipulating input to this function, an attacker can cause the server to issue arbitrary HTTP requests, resulting in a server‑side request forgery. The vulnerability can be triggered remotely and has publicly available exploit code. A successful exploitation would allow the attacker to instruct the server to contact internal or external resources, potentially exposing sensitive data, enabling further attacks, or executing additional malicious actions.

Affected Systems

JeecgBoot applications running versions up to 3.9.1 are affected. The vulnerability exists in the Cloud Instance Metadata Endpoint component handling URLs. Versions 3.9.2 and later contain the fix. Only deployments of the affected component are impacted; other JeecgBoot modules are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate impact. Exploitation is feasible from a remote network, as the flaw does not require local access or privilege escalation. No EPSS value is currently available, and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation to date. However, publicly available code and remote nature mean it is prudent to apply the upgrade promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jeecgboot

The server processes these URLs

affected

Version	Status	Constraints
`3.9.0`	affected	—
`3.9.1`	affected	—
`3.9.2`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade JeecgBoot to version 3.9.2 or later to apply the fix.
Until the upgrade, block or heavily restrict access to the /airag/app/debug endpoint to prevent exploitation.
Monitor network logs for unusual outbound requests originating from the affected endpoint to detect potential exploitation attempts.

Generated by OpenCVE AI on June 1, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/jeecgboot/JeecgBoot/issues/9611
https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2
https://vuldb.com/cve/CVE-2026-10241
https://vuldb.com/submit/823268
https://vuldb.com/vuln/367519
https://vuldb.com/vuln/367519/cti

History

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in jeecgboot The server processes these URLs up to 3.9.1. This affects the function FileDownloadUtils.download2DiskFromNet of the file /airag/app/debug of the component Cloud Instance Metadata Endpoint. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.9.2 mitigates this issue. It is suggested to upgrade the affected component.
Title		jeecgboot The server processes these URLs Cloud Instance Metadata Endpoint debug FileDownloadUtils.download2DiskFromNet server-side request forgery
First Time appeared		Jeecgboot Jeecgboot the Server Processes These Urls
Weaknesses		CWE-918
CPEs		cpe:2.3:a:jeecgboot:the_server_processes_these_urls::::::::
Vendors & Products		Jeecgboot Jeecgboot the Server Processes These Urls
References		https://github.com/jeecgboot/JeecgBoot/issues/9611 https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2 https://vuldb.com/cve/CVE-2026-10241 https://vuldb.com/submit/823268 https://vuldb.com/vuln/367519 https://vuldb.com/vuln/367519/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jeecgboot The Server Processes These Urls

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T08:30:10.014Z

Updated: 2026-06-01T08:30:10.014Z

Reserved: 2026-05-31T09:56:45.691Z

Link: CVE-2026-10241

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T09:16:15.977

Modified: 2026-06-01T09:16:15.977

Link: CVE-2026-10241

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object