Home

Description

A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The exploit is now public and may be used. The project maintainer closed the issue report with the following statement: "Access token security verification is required." (translated from Chinese)

PUBLISHED Reserved 2026-03-07 | Published 2026-03-08 | Updated 2026-03-08 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Server-Side Request Forgery

Product status

3.3.0
affected

3.3.1
affected

3.3.2
affected

Timeline

2026-03-07:Advisory disclosed
2026-03-07:VulDB entry created
2026-03-07:VulDB entry last update

Credits

ZAST.AI (VulDB User) reporter

References

vuldb.com/?id.349711 (VDB-349711 | xuxueli xxl-job JobInfoController.java server-side request forgery) vdb-entry

vuldb.com/?ctiid.349711 (VDB-349711 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.767226 (Submit #767226 | xuxueli xxl-job <=3.3.2 SSRF) third-party-advisory

github.com/xuxueli/xxl-job/issues/3924 issue-tracking

github.com/xuxueli/xxl-job/issues/3924 exploit issue-tracking

github.com/xuxueli/xxl-job/ product

cve.org (CVE-2026-3733)

nvd.nist.gov (CVE-2026-3733)

Download JSON