Home

Description

A vulnerability was determined in JeecgBoot up to 3.9.1. Impacted is the function SqlInjectionUtil of the file jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java of the component loadDict Endpoint. This manipulation of the argument keyword causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Patch name: a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b. To fix this issue, it is recommended to deploy a patch.

PUBLISHED Reserved 2026-04-28 | Published 2026-04-28 | Updated 2026-04-28 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

SQL Injection

Injection

Timeline

2026-04-28:Advisory disclosed
2026-04-28:VulDB entry created
2026-04-28:VulDB entry last update

Credits

larlarua (VulDB User) reporter

References

vuldb.com/vuln/359948 (VDB-359948 | JeecgBoot loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil sql injection) vdb-entry technical-description

vuldb.com/vuln/359948/cti (VDB-359948 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/803072 (Submit #803072 | JEECG JeecgBoot v3.9.1 SQL Injection) third-party-advisory

github.com/jeecgboot/JeecgBoot/issues/9491 exploit issue-tracking

github.com/jeecgboot/JeecgBoot/pull/9493 issue-tracking patch

github.com/...ommit/a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b patch

github.com/jeecgboot/JeecgBoot/ product

cve.org (CVE-2026-7290)

nvd.nist.gov (CVE-2026-7290)

Download JSON