Description
A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in JeecgBoot's FillRuleUtil component, specifically the /sys/fillRule/edit endpoint, allows an attacker to manipulate the ruleClass parameter. This manipulation triggers an unauthorized authorization path, enabling a threat actor to perform actions beyond the intended privileges. The vulnerability is exploitable remotely via the web interface, and the attack could let an attacker elevate privileges or execute privileged operations without authentication. The affected versions are all releases up to and including 3.9.1.

Affected Systems

JeecgBoot, a Java-based rapid development platform, is affected. The flaw resides in the FillRuleUtil component of JeecgBoot up to version 3.9.1. No patch is currently available for earlier releases; the vendor has confirmed the issue and will provide a fix in an upcoming release.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The description says the attack may be performed from remote, and it is inferred that the most likely attack path is a direct HTTP request to the /sys/fillRule/edit endpoint with a crafted ruleClass value. An out‑of‑the‑box public exploit exists, demonstrating that no local compromise or elevated privileges are needed beforehand, which suggests remote attackers could exploit the flaw without prior authentication.

Generated by OpenCVE AI on May 2, 2026 at 10:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor patch, which addresses the improper privilege handling (CWE-266) and authorization checks (CWE-285).
  • Limit exposure by restricting network access to the /sys/fillRule/edit endpoint to trusted hosts or roles, effectively preventing unauthorized HTTP requests.
  • Implement input validation or whitelist policy for the ruleClass parameter to ensure only allowed values are accepted, mitigating improper authorization (CWE-285).

Generated by OpenCVE AI on May 2, 2026 at 10:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.
Title JeecgBoot FillRuleUtil edit improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T03:15:12.820Z

Reserved: 2026-05-01T11:57:48.649Z

Link: CVE-2026-7602

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T04:16:23.650

Modified: 2026-05-02T04:16:23.650

Link: CVE-2026-7602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses