Description
A security vulnerability has been detected in jishenghua jshERP up to 3.6. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such manipulation of the argument fileName leads to path traversal. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the addAccountHeadAndDetail function within the AccountHeadService component of jshERP 3.6 and earlier. An attacker can manipulate the fileName parameter to perform a path traversal attack, enabling the read of arbitrary files on the server. This flaw permits remote exploitation, potentially exposing sensitive configuration or source code, but it does not directly lead to remote code execution. The weakness is classified as CWE‑22, indicating a failure to limit the use of contextual information for file path construction.

Affected Systems

The flaw affects all installations of jshERP up to version 3.6, distributed under the product jishenghua:jshERP. No specific sub‑versions beyond 3.6 are known to be vulnerable, and the vendor has not released a patch as of the time of this advisory.

Risk and Exploitability

The CVSS v3 score of 5.3 reflects a moderate severity, and the EPSS score is unavailable, suggesting limited public exploitation data. The vulnerability is not listed in the CISA KEV catalog. Because the attack can be performed remotely by sending crafted parameters to the addAccountHeadAndDetail endpoint, the risk is that attackers could harvest proprietary files or information from the server. The exploitation path requires only HTTP access to the vulnerable endpoint, making it broadly reachable if no mitigations are in place.

Generated by OpenCVE AI on June 8, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if a newer, patched release of jshERP has been made available by the vendor and upgrade immediately.
  • Implement input validation on the fileName parameter to reject or normalize any traversal sequences such as ".." or absolute paths, ensuring that only files within a designated directory are accessed.
  • Configure a web application firewall or similar security controls to detect and block path traversal patterns targeting the addAccountHeadAndDetail endpoint.

Generated by OpenCVE AI on June 8, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in jishenghua jshERP up to 3.6. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such manipulation of the argument fileName leads to path traversal. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title jishenghua jshERP addAccountHeadAndDetail Endpoint AccountHeadService.java path traversal
First Time appeared Jishenghua
Jishenghua jsherp
Weaknesses CWE-22
CPEs cpe:2.3:a:jishenghua:jsherp:*:*:*:*:*:*:*:*
Vendors & Products Jishenghua
Jishenghua jsherp
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jishenghua Jsherp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T14:19:48.062Z

Reserved: 2026-06-07T09:22:31.482Z

Link: CVE-2026-11467

cve-icon Vulnrichment

Updated: 2026-06-08T14:19:43.936Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T00:16:42.230

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T04:30:15Z

Weaknesses