Description
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.
Published: 2026-06-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a code injection flaw where user input is passed directly to the Aviator expression engine. Because the input is not validated, an attacker can embed arbitrary code in an expression. Successful exploitation would give the attacker the ability to execute code with the privileges of the service process, leading to full compromise of the server and data exposed through the affected interface.

Affected Systems

JimuReport versions 2.3.4 and all earlier releases are affected. The flaw exists in the /jmreport/executeSelectApi endpoint, which is part of the public API surface of the application. The CVE applies to installations that run these versions without an upgrade.

Risk and Exploitability

The CVSS score of 9.1 marks this vulnerability as Critical, while an EPSS score of less than 1% indicates that real‑world exploitation is currently rare. It is not listed in KEV. The likely attack vector is a remote attacker sending a crafted request to the executeSelectApi endpoint. The attacker can supply a malicious Aviator expression and, if the endpoint is reachable, gain remote code execution on the host.

Generated by OpenCVE AI on June 18, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JimuReport to a version newer than 2.3.4 that contains the patch for this flaw.
  • Limit access to the /jmreport/executeSelectApi endpoint so that only authenticated or trusted clients can reach it.
  • Implement input validation or a whitelist to ensure only safe Aviator expressions are processed, or disable the expression parser for untrusted input.

Generated by OpenCVE AI on June 18, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jimureport
Vendors & Products Jeecg
Jeecg jimureport

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Improper Handling of Aviator Expressions in JimuReport

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

Jeecg Jimureport
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-17T17:25:36.167Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36418

cve-icon Vulnrichment

Updated: 2026-06-17T17:25:17.503Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:34Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')