Description
A security vulnerability has been detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file /jeecgboot/sys/dict/loadDict/airag_app,1,create_by of the component Backend Interface. Such manipulation of the argument keyword leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch Now
AI Analysis

Impact

A SQL injection flaw exists in the JeecgBoot backend component, triggered through manipulation of the create_by parameter in the /jeecgboot/sys/dict/loadDict endpoint. The vulnerability allows an attacker to inject arbitrary SQL code into database queries, potentially leading to data theft, data modification, or denial of service. The flaw corresponds to CWE-74 and CWE-89, both relating to unsanitized input being passed to SQL statements.

Affected Systems

The issue affects deployments of JeecgBoot up to and including version 3.9.1. No other versions are listed as impacted. The vendor product is the JeecgBoot backend interface for dictionary loading.

Risk and Exploitability

The CVSS score is 5.3, indicating a medium severity risk. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not catalogued in the CISA KEV list. However, the flaw can be exploited remotely via a publicly disclosed exploit, so an attacker with network access to the vulnerable endpoint could gain unauthorized database access.

Generated by OpenCVE AI on April 17, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JeecgBoot to a release newer than 3.9.1 in which the SQL injection is addressed.
  • If upgrading is not immediately possible, restrict access to the /jeecgboot/sys/dict/loadDict endpoint so that only authenticated administrators can use it.
  • Implement input validation or use prepared statements for the create_by parameter to eliminate unsanitized SQL input.

Generated by OpenCVE AI on April 17, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg jeecg Boot
CPEs cpe:2.3:a:jeecg:jeecg_boot:*:*:*:*:*:*:*:*
Vendors & Products Jeecg jeecg Boot

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jeecgboot
Vendors & Products Jeecg
Jeecg jeecgboot

Fri, 20 Feb 2026 04:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file /jeecgboot/sys/dict/loadDict/airag_app,1,create_by of the component Backend Interface. Such manipulation of the argument keyword leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Title JeecgBoot Backend airag_app,1,create_by sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecg Jeecg Boot Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:00:13.575Z

Reserved: 2026-02-19T17:19:57.241Z

Link: CVE-2026-2822

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T05:17:53.663

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses