CVE-2026-9581 - Vulnerability Details

Description

A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 3.9.2 is sufficient to resolve this issue. Upgrading the affected component is recommended.

Published: 2026-05-26

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in a component of JeecgBoot, specifically an unknown function in the /sys/comment/add path. Misconfigured or missing authorization checks allow attackers to invoke the add comment operation without proper authentication or authorization. The flaw is an instance of both improper access control (CWE-284) and failure to restrict access (CWE-266). When activated, an attacker can add comments or otherwise manipulate data that should be protected, potentially exposing sensitive information or undermining user privileges. The CVSS base score of 5.3 places the flaw in the medium severity range.

Affected Systems

All installations of JeecgBoot through version 3.9.1 are affected, as the issue resides in the core application code. Users running v3.9.1 or older are at risk; versions 3.9.2 and newer contain the mitigation.

Risk and Exploitability

The flaw can be exploited remotely by sending crafted requests to the /sys/comment/add endpoint, and the vulnerability is publicly documented and likely has a publicly available exploit. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog, so the overall exploitation potential is uncertain but the remote nature raises concern. The moderate CVSS score indicates that the impact is limited to unauthorized data manipulation rather than full system compromise, but the ability to alter or inject information is still significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

JeecgBoot

affected

Version	Status	Constraints
`3.9.0`	affected	—
`3.9.1`	affected	—
`3.9.2`	unaffected	—

No data.

Vendor Product Confidence Versions

Jeecgboot

95%

Version	Status	Scheme	Platform
`3.9.0`	affected	semver	—
`3.9.1`	affected	semver	—
`3.9.2`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade JeecgBoot to version 3.9.2 or later to apply the vendor-supplied fix.
Restrict access to the /sys/comment/add endpoint by using network-level controls or application firewall rules, limiting traffic to trusted IP ranges or authenticated sessions.
Configure the application to enforce role‑based access controls for comment addition, ensuring that only users with explicit permission can invoke the endpoint.

Generated by OpenCVE AI on May 26, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00209.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/jeecgboot/JeecgBoot/
https://github.com/jeecgboot/JeecgBoot/issues/9598
https://github.com/jeecgboot/JeecgBoot/issues/9598#issuecomment-4385719753
https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2
https://vuldb.com/submit/817918
https://vuldb.com/vuln/365637
https://vuldb.com/vuln/365637/cti

History

Thu, 28 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 26 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 3.9.2 is sufficient to resolve this issue. Upgrading the affected component is recommended.
Title		JeecgBoot add access control
First Time appeared		Jeecgboot Jeecgboot jeecgboot
Weaknesses		CWE-266 CWE-284
CPEs		cpe:2.3:a:jeecgboot:jeecgboot::::::::
Vendors & Products		Jeecgboot Jeecgboot jeecgboot
References		https://github.com/jeecgboot/JeecgBoot/ https://github.com/jeecgboot/JeecgBoot/issues/9598 https://github.com/jeecgboot/JeecgBoot/issues/9598#issuecomment-4385719753 https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2 https://vuldb.com/submit/817918 https://vuldb.com/vuln/365637 https://vuldb.com/vuln/365637/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jeecgboot Jeecgboot

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-26T20:30:13.981Z

Updated: 2026-05-28T13:32:33.146Z

Reserved: 2026-05-26T12:50:10.272Z

Link: CVE-2026-9581

Vulnrichment

Updated: 2026-05-28T13:30:58.223Z

NVD

Status : Deferred

Published: 2026-05-26T21:16:45.327

Modified: 2026-05-28T14:16:26.503

Link: CVE-2026-9581

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T22:45:06Z

Weaknesses

CWE-266
Incorrect Privilege Assignment
CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object