Description
A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirmed the issue and will provide a fix in the upcoming release.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Code Injection
Action: Patch Now
AI Analysis

Impact

A flaw in the DriverManager.getConnection function of the Data Source Handler component in jeecgboot JimuReport allows an attacker to inject code through manipulation of the dbUrl argument. This can lead to execution of arbitrary code on the host system, potentially compromising confidentiality, integrity, and availability of data and services. The vulnerability is identified as CWE‑74 and CWE‑94.

Affected Systems

Any installation of jeecgboot JimuReport up to and including version 2.3.0 is affected. The issue resides in the testConnection routine used to establish database connections, so systems that expose this functionality to external inputs are at risk. Operators should verify the version in use and consider whether database URLs can be influenced by untrusted users.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The exploit has been made public and can be triggered remotely by supplying a crafted dbUrl. Because the code executes the supplied argument, successful exploitation results in remote code execution. While no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the publicly disclosed nature of the exploit and the potential impact elevate the risk, especially for environments that cannot be patched immediately.

Generated by OpenCVE AI on April 9, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s upcoming patch that eliminates the untrusted code interpretation in the DriverManager.getConnection function; the vendor plans to release it in the next release. If a patch is not yet available, harden the environment by restricting database URL inputs to a whitelist of trusted protocols and hostnames, and validate or sanitize the dbUrl string before it is passed to the JDBC driver. Use network controls or firewall rules to block unauthorized network traffic that could supply malicious URLs. Finally, after remediation, test the application to verify that the DriverManager.getConnection no longer executes injected code.

Generated by OpenCVE AI on April 9, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jimureport
Vendors & Products Jeecg
Jeecg jimureport

Thu, 09 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirmed the issue and will provide a fix in the upcoming release.
Title jeecgboot JimuReport Data Source testConnection DriverManager.getConnection code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecg Jimureport
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T14:49:08.071Z

Reserved: 2026-04-08T19:11:02.419Z

Link: CVE-2026-5848

cve-icon Vulnrichment

Updated: 2026-04-09T14:49:02.173Z

cve-icon NVD

Status : Received

Published: 2026-04-09T06:16:23.070

Modified: 2026-04-09T06:16:23.070

Link: CVE-2026-5848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:55Z

Weaknesses