Description
A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved."
Published: 2026-05-07
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑of‑a‑malicious‑condition attack that lets an unauthenticated remote user send crafted data to the /sys/dict/loadTreeData endpoint of the JeecgBoot JSON Object Handler. By manipulating the condition parameter, the attacker can inject SQL code. If successful, the attacker could query, modify or delete database content, potentially leaking confidential data or corrupting system integrity.

Affected Systems

JeecgBoot installations running up to and including version 3.9.1 are affected. The vulnerability resides in the JSON Object Handler component; no other products or vendors are listed.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the medium severity range. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, but public exploit code exists. Because the attack vector is remote and the authentication requirement is absent, the risk is realistic for exposed deployments. Successful exploitation would lead to unauthorized database access.

Generated by OpenCVE AI on May 7, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JeecgBoot to a version newer than 3.9.1, as the vendor has confirmed the issue is fixed in recent releases.
  • If an upgrade is not immediately possible, restrict access to the /sys/dict/loadTreeData endpoint to trusted IPs or authenticated users.
  • Deploy a web application firewall or input validation filter to block suspicious SQL payloads targeting the condition parameter.

Generated by OpenCVE AI on May 7, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved."
Title JeecgBoot JSON Object loadTreeData sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-07T22:00:11.288Z

Reserved: 2026-05-07T16:36:58.973Z

Link: CVE-2026-8114

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:37.843

Modified: 2026-05-07T22:16:37.843

Link: CVE-2026-8114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T23:30:40Z

Weaknesses