Description
A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-01-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write via path traversal
Action: Assess Impact
AI Analysis

Impact

The vulnerability resides in the installByPath module of jshERP, where the install function accepts a path argument that is not properly validated. An attacker who can trigger this function can supply a crafted path containing traversal sequences, causing the application to write or overwrite files outside the intended plugin directory. This flaw allows the creation or modification of arbitrary files on the filesystem, potentially enabling the execution of malicious code or the alteration of critical configuration files.

Affected Systems

Jishenghua jshERP releases up to and including version 3.6 are affected. The issue remains unpatched, so any deployment of these versions that exposes the installByPath endpoint to the network remains vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS indicates a very low probability of exploitation (<1%) and the vulnerability is not listed in the CISA KEV catalog. A publicly available exploit exists, and attackers only need network access to the installByPath endpoint; no elevated local privileges are required. The exploitation path is straightforward: send a carefully crafted path value to the endpoint to force the application to write an arbitrary file.

Generated by OpenCVE AI on April 18, 2026 at 18:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict outbound access to the installByPath endpoint, limiting it to trusted IP addresses or internal networks and enforce strong authentication.
  • Validate all supplied paths to reject any that contain ".." or absolute path prefixes, ensuring only paths within the intended plugin directory are accepted.
  • Monitor the plugin directory and system logs for unexpected file creation or modifications to detect potential misuse.

Generated by OpenCVE AI on April 18, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jishenghua:jsherp:*:*:*:*:*:*:*:*

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Jishenghua
Jishenghua jsherp
Vendors & Products Jishenghua
Jishenghua jsherp

Thu, 29 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title jishenghua jshERP installByPath install path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 2.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jishenghua Jsherp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:04:07.647Z

Reserved: 2026-01-29T06:01:32.972Z

Link: CVE-2026-1588

cve-icon Vulnrichment

Updated: 2026-01-29T14:29:42.547Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T14:16:13.260

Modified: 2026-02-13T20:43:37.693

Link: CVE-2026-1588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses