Description
A flaw has been found in thinkgem JeeSite up to 5.15.1. Impacted is an unknown function of the file /com/jeesite/common/shiro/cas/CasOutHandler.java of the component Endpoint. Executing a manipulation can lead to xml external entity reference. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-02
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Remote XML External Entity (XXE) Vulnerability
Action: Patch When Available
AI Analysis

Impact

A flaw exists in thinkgem JeeSite up to version 5.15.1 within the CasOutHandler endpoint, allowing an attacker to manipulate XML input so that an external entity reference is resolved. This XXE flaw can expose internal resources or cause denial of service by forcing the application to access arbitrary files or URLs. Because the exploit can be performed remotely, an attacker could trigger the vulnerability from outside the network, though the complexity of the attack is considered high and the exploit is difficult to execute. The vulnerability does not provide direct code execution or privilege escalation, but it does enable data disclosure or resource exhaustion in the affected system.

Affected Systems

thinkgem JeeSite versions up through 5.15.1 are affected. The flaw resides in the CasOutHandler component exposed via the endpoint /com/jeesite/common/shiro/cas/CasOutHandler.java.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score being less than 1% shows a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely known malicious use at present. However, because the exploit has been published and is remotely reachable, organizations running vulnerable versions should consider upgrading or applying mitigations promptly.

Generated by OpenCVE AI on April 16, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JeeSite to a version that removes the flaw (any release newer than 5.15.1).
  • If an upgrade cannot be performed, reconfigure the XML parser in CasOutHandler to disallow external entity resolution or enforce a secure XML processing policy.
  • Implement network segmentation or firewall rules to limit external access to the endpoint hosting the CasOutHandler, reducing the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Thinkgem
Thinkgem jeesite
Vendors & Products Thinkgem
Thinkgem jeesite

Mon, 02 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in thinkgem JeeSite up to 5.15.1. Impacted is an unknown function of the file /com/jeesite/common/shiro/cas/CasOutHandler.java of the component Endpoint. Executing a manipulation can lead to xml external entity reference. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title thinkgem JeeSite Endpoint CasOutHandler.java xml external entity reference
First Time appeared Jeesite
Jeesite jeesite
Weaknesses CWE-610
CWE-611
CPEs cpe:2.3:a:jeesite:jeesite:*:*:*:*:*:*:*:*
Vendors & Products Jeesite
Jeesite jeesite
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeesite Jeesite
Thinkgem Jeesite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-02T15:17:14.605Z

Reserved: 2026-03-01T06:55:17.609Z

Link: CVE-2026-3404

cve-icon Vulnrichment

Updated: 2026-03-02T15:17:10.359Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T02:16:19.800

Modified: 2026-03-09T16:52:14.197

Link: CVE-2026-3404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses