CVE-2026-3733 - Vulnerability Details

- xuxueli xxl-job JobInfoController.java server-side request forgery

Description

A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The exploit is now public and may be used. The project maintainer closed the issue report with the following statement: "Access token security verification is required." (translated from Chinese)

Published: 2026-03-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in xuxueli xxl‑job allows an attacker to cause the application to make unauthorized outbound HTTP requests, enabling the retrieval or manipulation of data on internal or external resources. This is a classic server‑side request forgery flaw (CWE‑918). The impact includes possible confidentiality and integrity violations on systems accessible by the server, and it may expose internal network resources to external exploitation.

Affected Systems

Vendors: xuxueli; Product: xxl‑job; Versions affected: any release up to and including 3.3.2. No specific later versions are listed as affected; newer releases are presumed safe unless otherwise noted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The exploit requires remote access to the xxl‑job administrative interface and the ability to submit a specially crafted request to JobInfoController.java. The attacker can then force the server to make requests to arbitrary URLs controlled by the attacker, potentially exfiltrating sensitive data or interacting with internal services.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xuxueli

xxl-job

affected

Version	Status	Constraints
`3.3.0`	affected	—
`3.3.1`	affected	—
`3.3.2`	affected	—

No data.

Vendor Product Confidence Versions

Xuxueli

Xxl-job

95%

Version	Status	Scheme	Platform
`3.3.0`	affected	semver	—
`3.3.1`	affected	semver	—
`3.3.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade xxl‑job to the latest available release that includes the SSRF fix or any release beyond 3.3.2 that has addressed this defect.
Ensure the JobInfoController performs strict access token validation before executing remote requests; if the token check is missing or ineffective, enforce it manually or via configuration.
Restrict the xxl‑job server’s outbound network access to a whitelist of trusted internal hosts or required external services, and block all other outgoing connections.

Generated by OpenCVE AI on April 16, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/xuxueli/xxl-job/
https://github.com/xuxueli/xxl-job/issues/3924
https://github.com/xuxueli/xxl-job/issues/3924#issue-3987941359
https://vuldb.com/?ctiid.349711
https://vuldb.com/?id.349711
https://vuldb.com/?submit.767226

History

Wed, 11 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 08 Mar 2026 11:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The exploit is now public and may be used. The project maintainer closed the issue report with the following statement: "Access token security verification is required." (translated from Chinese)
Title		xuxueli xxl-job JobInfoController.java server-side request forgery
First Time appeared		Xuxueli Xuxueli xxl-job
Weaknesses		CWE-918
CPEs		cpe:2.3:a:xuxueli:xxl-job::::::::
Vendors & Products		Xuxueli Xuxueli xxl-job
References		https://github.com/xuxueli/xxl-job/ https://github.com/xuxueli/xxl-job/issues/3924 https://github.com/xuxueli/xxl-job/issues/3924#issue-3987941359 https://vuldb.com/?ctiid.349711 https://vuldb.com/?id.349711 https://vuldb.com/?submit.767226
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Xuxueli Xxl-job

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-08T11:02:14.508Z

Updated: 2026-03-11T19:52:45.982Z

Reserved: 2026-03-07T18:00:25.805Z

Link: CVE-2026-3733

Vulnrichment

Updated: 2026-03-11T19:52:43.307Z

NVD

Status : Deferred

Published: 2026-03-08T11:15:50.720

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-3733

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T10:45:26Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object