Description
A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Published: 2026-03-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Update
AI Analysis

Impact

The vulnerability resides in the isExistSqlInjectKeyword function of the /jeecg-boot/sys/api/getDictItems endpoint. It allows attackers to inject arbitrary SQL statements, potentially leading to unauthorized data access, modification, or deletion. The flaw is a classic SQL injection that can be exploited over the network, affecting confidentiality, integrity, and availability of the underlying database.

Affected Systems

The issue affects the JeecgBoot platform up to and including version 3.9.1. No later versions are mentioned in the data. The affected component is the getDictItems API in JeecgBoot.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS figure of less than 1% suggests a very low probability of exploitation at this time. It is not listed in CISA's KEV catalog. Attackers could exploit the vulnerability remotely by sending crafted requests to the getDictItems endpoint, but no exploitation prerequisites beyond network access are described. The risk is moderate but the low exploitation likelihood reduces immediate urgency.

Generated by OpenCVE AI on April 16, 2026 at 04:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JeecgBoot to version 3.9.2 or later, ensuring the vulnerable isExistSqlInjectKeyword function is removed or fixed
  • Validate and sanitize all inputs to the getDictItems API, stripping or encoding any SQL keywords before use
  • Implement strict authentication and authorization controls on the getDictItems endpoint, limiting access to trusted users and applying least privilege
  • If upgrade is not feasible, apply an application-level firewall or filter that blocks common SQL injection patterns at the API boundary

Generated by OpenCVE AI on April 16, 2026 at 04:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jeecgboot
Vendors & Products Jeecg
Jeecg jeecgboot

Sat, 07 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Title JeecgBoot getDictItems isExistSqlInjectKeyword sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecg Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T16:28:32.553Z

Reserved: 2026-03-06T20:58:48.694Z

Link: CVE-2026-3672

cve-icon Vulnrichment

Updated: 2026-03-11T16:23:01.642Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T22:15:50.147

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:45:16Z

Weaknesses