CVE-2026-7603 - Vulnerability Details

- JeecgBoot LoadFile Endpoint FileDownloadUtils.jav checkPathTraversalBatch server-side request forgery

Description

A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release.

Published: 2026-05-02

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability was identified in JeecgBoot up to version 3.9.1 that allows an attacker to manipulate the argument file names within the FileDownloadUtils.java component’s checkPathTraversalBatch method. This manipulation can cause the application to perform privileged HTTP requests on the attacker’s behalf, effectively enabling server‑side request forgery. The impact is that an attacker can cause the server to communicate with internal or external resources, potentially exposing confidential data or aiding further exploitation. The CVE description confirms that the exploit is publicly disclosed and can be initiated remotely.

Affected Systems

The affected product is JeecgBoot, with vulnerability present in all releases from the initial release through version 3.9.1. The specific component impacted is the LoadFile Endpoint in FileDownloadUtils.java, which accepts a files argument susceptible to manipulation.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating moderate severity. No EPSS score is provided, and the issue is not listed in the CISA KEV catalog. According to the description, the attack vector is remote and relies on server‑side request forgery, meaning an attacker only needs to send crafted requests to the vulnerable endpoint to trigger the exploit. The vendor has acknowledged the issue and will release a fix in an upcoming update.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

JeecgBoot

affected

Version	Status	Constraints
`3.9.0`	affected	—
`3.9.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑supplied patch by upgrading to the latest JeecgBoot release when it becomes available.
Limit exposure of the LoadFile endpoint by restricting access to trusted IP addresses or by requiring authentication before requests are processed.
Configure outbound network restrictions on the application host to block or log unexpected internal resource requests, mitigating the risk of unintended SSRF actions.

Generated by OpenCVE AI on May 2, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/jeecgboot/JeecgBoot/
https://github.com/jeecgboot/JeecgBoot/issues/9553
https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-4251745014
https://vuldb.com/submit/805707
https://vuldb.com/vuln/360560
https://vuldb.com/vuln/360560/cti

History

Sat, 02 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release.
Title		JeecgBoot LoadFile Endpoint FileDownloadUtils.jav checkPathTraversalBatch server-side request forgery
Weaknesses		CWE-918
References		https://github.com/jeecgboot/JeecgBoot/ https://github.com/jeecgboot/JeecgBoot/issues/9553 https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-4251745014 https://vuldb.com/submit/805707 https://vuldb.com/vuln/360560 https://vuldb.com/vuln/360560/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-02T04:15:11.675Z

Updated: 2026-05-02T04:15:11.675Z

Reserved: 2026-05-01T11:57:52.270Z

Link: CVE-2026-7603

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-02T05:16:01.570

Modified: 2026-05-02T05:16:01.570

Link: CVE-2026-7603

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object