Home

Description

A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The project was informed of the problem early through an issue report but has not responded yet.

PUBLISHED Reserved 2026-02-15 | Published 2026-02-16 | Updated 2026-02-23 | Assigner VulDB




LOW: 2.3CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
MEDIUM: 5.0CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R
MEDIUM: 5.0CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R
4.6AV:N/AC:H/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR

Problem types

Deserialization

Improper Input Validation

Timeline

2026-02-15:Advisory disclosed
2026-02-15:VulDB entry created
2026-02-20:VulDB entry last update

Credits

chuan001 (VulDB User) reporter

References

github.com/jeecgboot/JeecgBoot/issues/9335 exploit

vuldb.com/?id.346163 (VDB-346163 | JeecgBoot Retrieval-Augmented Generation AiragKnowledgeController.java importDocumentFromZip deserialization) vdb-entry technical-description

vuldb.com/?ctiid.346163 (VDB-346163 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.750232 (Submit #750232 | jeecgboot JeecgBoot 3.9.1 Remote Command Execution) third-party-advisory

github.com/jeecgboot/JeecgBoot/issues/9335 issue-tracking

github.com/jeecgboot/JeecgBoot/ product

cve.org (CVE-2026-2555)

nvd.nist.gov (CVE-2026-2555)

Download JSON