Description
A weakness has been identified in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The project replied: "After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects."
Published: 2026-06-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in JeecgBoot up to version 3.9.2 allows attackers to craft a redirect URL that is passed to HttpServletResponse.sendRedirect without validation, enabling an open redirect (CWE‑601). An attacker could use this to lure a victim to click a malicious link, after which the browser is redirected to a site of the attacker’s choice. Although the vulnerability does not grant code execution or direct data access, it can facilitate phishing, credential harvesting, or other social‑engineering attacks.

Affected Systems

The vulnerability exists in the Third-Party Login component of JeecgBoot, specifically within ThirdLoginController.java. All installations running JeecgBoot 3.9.2 or earlier that have the optional DingTalk, WeChat, or similar OAuth login feature enabled are affected.

Risk and Exploitability

The CVSS score of 2.3 reflects a low severity assessment, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exfiltration requires active engagement from the victim; attackers must generate a specially crafted OAuth link and rely on social engineering to persuade users to click. The exploit is considered difficult to execute in real world scenarios, yet public exploit code is available, so the risk is primarily through targeted phishing campaigns. The attack vector is likely remote via URL manipulation, and the attack requires attacker‑initiated user interaction.

Generated by OpenCVE AI on June 8, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest JeecgBoot release (>=3.9.3) that includes validation of redirect URLs
  • Disable third‑party login (OAuth) in projects where it is not required to eliminate the redirect surface
  • If a patch is unavailable, configure the application to whitelist allowed redirect destinations and block all otherwise

Generated by OpenCVE AI on June 8, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The project replied: "After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects."
Title JeecgBoot Third-Party Login ThirdLoginController.java HttpServletResponse.sendRedirect redirect
First Time appeared Jeecgboot
Jeecgboot jeecgboot
Weaknesses CWE-601
CPEs cpe:2.3:a:jeecgboot:jeecgboot:*:*:*:*:*:*:*:*
Vendors & Products Jeecgboot
Jeecgboot jeecgboot
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecgboot Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-09T14:52:09.835Z

Reserved: 2026-06-07T13:48:50.936Z

Link: CVE-2026-11502

cve-icon Vulnrichment

Updated: 2026-06-09T14:52:04.870Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T10:16:32.770

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T11:30:22Z

Weaknesses