Description
A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-16
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Potential Deserialization vulnerability
Action: Assess Impact
AI Analysis

Impact

A weakness exists in the importDocumentFromZip endpoint of JeecgBoot 3.9.1’s Retrieval‑Augmented Generation component. The flaw allows data that is deserialized by the server without sufficient validation, which could enable unintended behavior. The description notes that the vulnerability can be triggered remotely but requires highly complex manipulation, making successful exploitation difficult.

Affected Systems

JeecgBoot version 3.9.1, specifically the Retrieval‑Augmented Generation component’s AiragKnowledgeController importDocumentFromZip endpoint used for processing ZIP file uploads.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1% signals a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. While the attack vector is remote, the required skill and effort described in the advisory reduce the likelihood of real‑world exploitation.

Generated by OpenCVE AI on April 18, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JeecgBoot to a version that contains a fix for the importDocumentFromZip deserialization issue; if no fix is available, plan to apply the next official patch.
  • Restrict access to the importDocumentFromZip endpoint, allowing only authenticated and trusted users or specific IP addresses, and disable the feature if it is not required.
  • Implement strict input validation on uploaded ZIP files, rejecting archives that contain unexpected entries or malformed content before deserialization.
  • Replace the default Java deserialization mechanism with a safer approach, such as using a whitelist of acceptable classes or employing a library that blocks deserialization of untrusted data.

Generated by OpenCVE AI on April 18, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg jeecg Boot
CPEs cpe:2.3:a:jeecg:jeecg_boot:3.9.1:*:*:*:*:*:*:*
Vendors & Products Jeecg jeecg Boot

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jeecgboot
Vendors & Products Jeecg
Jeecg jeecgboot

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The project was informed of the problem early through an issue report but has not responded yet.
Title JeecgBoot Retrieval-Augmented Generation AiragKnowledgeController.java importDocumentFromZip deserialization
Weaknesses CWE-20
CWE-502
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Jeecg Jeecg Boot Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:09:16.352Z

Reserved: 2026-02-15T17:40:47.462Z

Link: CVE-2026-2555

cve-icon Vulnrichment

Updated: 2026-02-17T15:53:55.930Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T12:16:22.667

Modified: 2026-02-18T21:43:53.793

Link: CVE-2026-2555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:15:15Z

Weaknesses