CVE-2026-6009 - Vulnerability Details

- Jaspersoft Library Deserialisation Vulnerability

Description

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system

Published: 2026-05-19

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a Java Deserialization flaw in the Jaspersoft Reports Library that enables an attacker to run arbitrary code on the affected system. The flaw is rated as a high‑severity issue with a CVSS score of 8.7, indicating significant potential impact on confidentiality, integrity, and availability in affected environments.

Affected Systems

The flaw affects multiple Jaspersoft products, including JasperReports IO At‑Scale, JasperReports IO Professional, JasperReports Library Community Edition, JasperReports Library Professional, JasperReports Server, JasperReports Web Studio, Jaspersoft Studio Community Edition, and Jaspersoft Studio Professional. Specific version information is not supplied in the advisory, so all builds of these products should be verified against the vendor’s patch guidance.

Risk and Exploitability

Because the flaw involves deserialization of untrusted data, the likely attack vector is remote, where an attacker can supply malicious serialized objects to a vulnerable component. The high CVSS score reflects the seriousness of the potential exploitation, but the EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Nonetheless, the possibility of remote code execution warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Jaspersoft

JasperReports Library Community Edition

unaffected

Version	Status	Constraints
`0`	affected	≤ 7.0.6

Jaspersoft

Jaspersoft Studio Community Edition

unaffected

Version	Status	Constraints
`0`	affected	≤ 7.0.6

Jaspersoft

JasperReports Server

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.0.0

Jaspersoft

JasperReports Library Professional

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.0.0

Jaspersoft

Jaspersoft Studio Professional

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.0.0

Jaspersoft

JasperReports IO Professional

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.0.0

Jaspersoft

JasperReports IO At-Scale

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.0.0

Jaspersoft

JasperReports Web Studio

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.0.1

No data.

Vendor Product Confidence Versions

Jaspersoft

Jasperreports Io At-scale

100%

Version	Status	Scheme	Platform
`[0,10.0.0]`	affected	semver	—

Jaspersoft

Jasperreports Io Professional

100%

Version	Status	Scheme	Platform
`[0,10.0.0]`	affected	semver	—

Jaspersoft

Jasperreports Library Community Edition

100%

Version	Status	Scheme	Platform
`[0,7.0.6]`	affected	semver	—

Jaspersoft

Jasperreports Library Professional

100%

Version	Status	Scheme	Platform
`[0,10.0.0]`	affected	semver	—

Jaspersoft

Jasperreports Server

100%

Version	Status	Scheme	Platform
`[0,10.0.0]`	affected	semver	—

Jaspersoft

Jasperreports Web Studio

100%

Version	Status	Scheme	Platform
`[0,10.0.1]`	affected	semver	—

Jaspersoft

Jaspersoft Studio Community Edition

100%

Version	Status	Scheme	Platform
`[0,7.0.6]`	affected	semver	—

Jaspersoft

Jaspersoft Studio Professional

100%

Version	Status	Scheme	Platform
`[0,10.0.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and install the vendor‑issued patch for CVE‑2026‑6009 from the Jaspersoft community advisory.
Ensure all Jaspersoft Report components are running the latest patched version; if a patch is not yet available, configure the applications to reject or sanitize any untrusted serialized payloads.
Disable Java deserialization of external data where possible, add input validation layers to reject malformed objects, and monitor logs for suspicious deserialization activity.

Generated by OpenCVE AI on May 19, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00396.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-may-19-2026-jaspersoft-library-cve-2026-6009-r11/

History

Wed, 20 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jaspersoft Jaspersoft jasperreports Io At-scale Jaspersoft jasperreports Io Professional Jaspersoft jasperreports Library Community Edition Jaspersoft jasperreports Library Professional Jaspersoft jasperreports Server Jaspersoft jasperreports Web Studio Jaspersoft jaspersoft Studio Community Edition Jaspersoft jaspersoft Studio Professional
Vendors & Products		Jaspersoft Jaspersoft jasperreports Io At-scale Jaspersoft jasperreports Io Professional Jaspersoft jasperreports Library Community Edition Jaspersoft jasperreports Library Professional Jaspersoft jasperreports Server Jaspersoft jasperreports Web Studio Jaspersoft jaspersoft Studio Community Edition Jaspersoft jaspersoft Studio Professional

Tue, 19 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 19 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system
Title		Jaspersoft Library Deserialisation Vulnerability
Weaknesses		CWE-502
References		https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-may-19-2026-jaspersoft-library-cve-2026-6009-r11/
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Jaspersoft Jasperreports Io At-scale Jasperreports Io Professional Jasperreports Library Community Edition Jasperreports Library Professional Jasperreports Server Jasperreports Web Studio Jaspersoft Studio Community Edition Jaspersoft Studio Professional

MITRE

Status: PUBLISHED

Assigner: Jaspersoft

Published: 2026-05-19T17:23:40.646Z

Updated: 2026-05-20T03:55:41.132Z

Reserved: 2026-04-09T14:16:26.621Z

Link: CVE-2026-6009

Vulnrichment

Updated: 2026-05-19T17:54:52.611Z

NVD

Status : Awaiting Analysis

Published: 2026-05-19T18:16:29.613

Modified: 2026-05-19T21:08:41.030

Link: CVE-2026-6009

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-20T10:39:09Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object