Description
A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Server-Side Request Forgery
Action: Assess Impact
AI Analysis

Impact

A manipulation of the addressList argument within the triggerJob function of Xuxueli xx‑job’s trigger endpoint enables server‑side request forgery. By providing arbitrary URLs, an attacker could cause the server to issue unintended HTTP requests to internal or external resources. The official description states that this flaw can be triggered remotely and that an exploit is publicly available. However, the project maintainer notes that triggering a job requires authentication and appropriate management privileges, implying that an attacker would need valid credentials to exploit the vulnerability.

Affected Systems

The vulnerability affects the Xuxueli xxl‑job component, specifically the triggerJob method in the xxl‑job‑admin module, in all releases up to and including version 3.3.2.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity flaw. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Attack likely requires remote access to the triggerJob API combined with valid administrative authentication. If exploited, the server‑side request forgery could allow an attacker to reach internal services, exfiltrate data, or pivot to further network targets. The overall risk is moderate, primarily limited by the need for authorized access to the endpoint.

Generated by OpenCVE AI on April 29, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy an updated release of xxl‑job that contains the SSRF fix (e.g., version 3.3.3 or later, if available).
  • Restrict the triggerJob API to users with explicit administrative privileges and enforce strong authentication and role‑based access controls.
  • Configure firewall or network segmentation rules to block outbound requests from the xxl‑job server to sensitive internal networks unless explicitly permitted.

Generated by OpenCVE AI on April 29, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
Title Xuxueli xxl-job trigger Endpoint XxlJobServiceImpl.java triggerJob server-side request forgery
First Time appeared Xuxueli
Xuxueli xxl-job
Weaknesses CWE-918
CPEs cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*
Vendors & Products Xuxueli
Xuxueli xxl-job
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Xuxueli Xxl-job
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T13:09:52.781Z

Reserved: 2026-04-28T11:45:12.858Z

Link: CVE-2026-7305

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T22:16:50.893

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses