Description
A vulnerability has been found in thinkgem JeeSite up to 5.15.1. The affected element is an unknown function of the component Connection Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-02
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Remote Path Traversal
Action: Patch
AI Analysis

Impact

A flaw in the Connection Handler of thinkgem JeeSite allows an attacker to manipulate a request and traverse directories to read files outside the intended web root. The vulnerability resides in a function whose details are not publicly disclosed, but the exploitation path leverages path–traversal tokens such as "../". Because the attack can be performed remotely and the vulnerability is not limited to local users, the primary consequence is the potential disclosure of sensitive files, including configuration data or source code.

Affected Systems

thinkgem JeeSite versions up to and including 5.15.1 are affected. The vulnerability applies to all installations using the default Connection Handler endpoint without additional access controls. No later versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the EPSS score of less than 1% suggests a very low probability that the flaw will be actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating low public exploitation activity. However, because the attack vector is remote, an attacker with network connectivity to the target could attempt to exploit the path traversal to read arbitrary files if the server permits the traversal. The attack requires high complexity and difficult exploitation, but once executed the impact is limited to information disclosure rather than full system compromise.

Generated by OpenCVE AI on April 16, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade thinkgem JeeSite to a version newer than 5.15.1 or apply the vendor patch when it becomes available.
  • Restrict remote access to the Connection Handler component by configuring firewall or web‑application firewall rules to limit exposure.
  • Implement strict server‑side input validation and directory restrictions to prevent traversal of file paths into disallowed directories.

Generated by OpenCVE AI on April 16, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Thinkgem
Thinkgem jeesite
Vendors & Products Thinkgem
Thinkgem jeesite

Mon, 02 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in thinkgem JeeSite up to 5.15.1. The affected element is an unknown function of the component Connection Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title thinkgem JeeSite Connection path traversal
First Time appeared Jeesite
Jeesite jeesite
Weaknesses CWE-22
CPEs cpe:2.3:a:jeesite:jeesite:*:*:*:*:*:*:*:*
Vendors & Products Jeesite
Jeesite jeesite
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeesite Jeesite
Thinkgem Jeesite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-02T13:36:44.184Z

Reserved: 2026-03-01T06:55:21.512Z

Link: CVE-2026-3405

cve-icon Vulnrichment

Updated: 2026-03-02T13:36:40.556Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T02:16:20.013

Modified: 2026-03-03T19:46:56.457

Link: CVE-2026-3405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses