Impact
The vulnerability is a code injection flaw where user input is passed directly to the Aviator expression engine. Because the input is not validated, an attacker can embed arbitrary code in an expression. Successful exploitation would give the attacker the ability to execute code with the privileges of the service process, leading to full compromise of the server and data exposed through the affected interface.
Affected Systems
JimuReport versions 2.3.4 and all earlier releases are affected. The flaw exists in the /jmreport/executeSelectApi endpoint, which is part of the public API surface of the application. The CVE applies to installations that run these versions without an upgrade.
Risk and Exploitability
The CVSS score of 9.1 marks this vulnerability as Critical, while an EPSS score of less than 1% indicates that real‑world exploitation is currently rare. It is not listed in KEV. The likely attack vector is a remote attacker sending a crafted request to the executeSelectApi endpoint. The attacker can supply a malicious Aviator expression and, if the endpoint is reachable, gain remote code execution on the host.
OpenCVE Enrichment