Description
A vulnerability was determined in JeecgBoot up to 3.9.1. Impacted is the function SqlInjectionUtil of the file jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java of the component loadDict Endpoint. This manipulation of the argument keyword causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Patch name: a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b. To fix this issue, it is recommended to deploy a patch.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A classic SQL injection flaw exists in the loadDict endpoint of JeecgBoot before version 3.9.1. The issue originates in the SqlInjectionUtil class, where the keyword parameter is concatenated directly into an SQL statement without adequate sanitization, allowing the injection of arbitrary SQL commands. This can lead to unauthorized database queries, data exfiltration, or alteration of data. The vulnerability is associated with CWE‑74 and CWE‑89.

Affected Systems

The affected product is JeecgBoot, specifically all releases up to and including version 3.9.1.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it appears that the attack could be carried out remotely by sending crafted requests to the publicly exposed loadDict endpoint. The requirement for authentication is not specified in the input, so it is unclear whether authentication is needed. Adversaries with network access to the service may potentially exploit the injection to access or modify database contents.

Generated by OpenCVE AI on April 29, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the patch identified by commit a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b or upgrade to a newer version of JeecgBoot that includes the fix
  • Disable or restrict public access to the loadDict endpoint if it is not needed for external clients
  • Implement input validation or parameterized queries in SqlInjectionUtil to prevent future injection flaws

Generated by OpenCVE AI on April 29, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jeecg
Jeecg jeecgboot
Vendors & Products Jeecg
Jeecg jeecgboot

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in JeecgBoot up to 3.9.1. Impacted is the function SqlInjectionUtil of the file jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java of the component loadDict Endpoint. This manipulation of the argument keyword causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Patch name: a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b. To fix this issue, it is recommended to deploy a patch.
Title JeecgBoot loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jeecg Jeecgboot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T18:50:11.921Z

Reserved: 2026-04-28T09:47:54.479Z

Link: CVE-2026-7290

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T19:37:47.913

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:00:09Z

Weaknesses