Description
A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.
Published: 2026-04-28
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Remote Resource Disclosure
Action: Patch
AI Analysis

Impact

The flaw in the JobLogController logDetailCat endpoint allows an attacker to craft a logId value that bypasses the intended resource constraints, giving the actor control over which log entries or underlying files the application loads. Because the vulnerability can be triggered from a remote interface and the patch for this issue has already been released to the public, an exploitation attempt could result in the disclosure of sensitive data or the execution of arbitrary commands if the log files contain executable content. The CVE report states that the attack requires high complexity but is considered difficult to execute, indicating that significant expertise and precise input manipulation are required to successfully exploit the flaw.

Affected Systems

The affected product is Xuxueli xxl-job, version 3.3.2 and earlier. The vulnerability is present in the execution log handling component, specifically the logDetailCat method within the JobLogController. Versions 3.4.0 and later contain the vendor‑supplied fix. No other vendors or components are listed as impacted.

Risk and Exploitability

The CVSS base score for this issue is 6.3, reflecting a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The official advisory notes that the exploit has been released publicly, but the high complexity and difficulty of exploitation mean that attacks would likely be targeted and high‑value. Nonetheless, the potential for unauthorized access to internal resources warrants immediate attention.

Generated by OpenCVE AI on April 29, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xuxueli xxl-job to version 3.4.0 or later to apply the vendor patch
  • If an upgrade is not possible immediately, implement input validation on the logId parameter to ensure only numeric identifiers within the allowed range are accepted
  • Continuously monitor job logs and access controls for anomalous activity, and apply least‑privilege principles to the components handling execution logs

Generated by OpenCVE AI on April 29, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.
Title Xuxueli xxl-job Execution Log JobLogController.java logDetailCat resource injection
First Time appeared Xuxueli
Xuxueli xxl-job
Weaknesses CWE-99
CPEs cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*
Vendors & Products Xuxueli
Xuxueli xxl-job
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Xuxueli Xxl-job
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T19:00:17.015Z

Reserved: 2026-04-28T11:45:02.447Z

Link: CVE-2026-7303

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T22:16:50.720

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses