{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5848", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-08T19:11:02.419Z", "datePublished": "2026-04-09T05:15:11.492Z", "dateUpdated": "2026-04-09T14:49:08.071Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T05:15:11.492Z"}, "title": "jeecgboot JimuReport Data Source testConnection DriverManager.getConnection code injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "jeecgboot", "product": "JimuReport", "versions": [{"version": "2.0", "status": "affected"}, {"version": "2.1", "status": "affected"}, {"version": "2.2", "status": "affected"}, {"version": "2.3.0", "status": "affected"}], "modules": ["Data Source Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirmed the issue and will provide a fix in the upcoming release."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:C"}}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-08T21:16:07.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "anch0r (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356374", "name": "VDB-356374 | jeecgboot JimuReport Data Source testConnection DriverManager.getConnection code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356374/cti", "name": "VDB-356374 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/790769", "name": "Submit #790769 | jeecgboot jimureport <= 2.3.0 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jeecgboot/jimureport/issues/4587", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/jeecgboot/jimureport/issues/4587#issuecomment-4152596778", "tags": ["issue-tracking"]}, {"url": "https://github.com/jeecgboot/jimureport/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:48:56.890945Z", "id": "CVE-2026-5848", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:49:08.071Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5848", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:48:56.890945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:49:02.173Z"}}], "cna": {"title": "jeecgboot JimuReport Data Source testConnection DriverManager.getConnection code injection", "credits": [{"lang": "en", "type": "reporter", "value": "anch0r (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:C"}}], "affected": [{"vendor": "jeecgboot", "modules": ["Data Source Handler"], "product": "JimuReport", "versions": [{"status": "affected", "version": "2.0"}, {"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.3.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-08T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-08T21:16:07.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356374", "name": "VDB-356374 | jeecgboot JimuReport Data Source testConnection DriverManager.getConnection code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356374/cti", "name": "VDB-356374 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/790769", "name": "Submit #790769 | jeecgboot jimureport <= 2.3.0 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jeecgboot/jimureport/issues/4587", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/jeecgboot/jimureport/issues/4587#issuecomment-4152596778", "tags": ["issue-tracking"]}, {"url": "https://github.com/jeecgboot/jimureport/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirmed the issue and will provide a fix in the upcoming release."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T05:15:11.492Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5848", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:49:08.071Z", "dateReserved": "2026-04-08T19:11:02.419Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-09T05:15:11.492Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirmed the issue and will provide a fix in the upcoming release."}], "id": "CVE-2026-5848", "lastModified": "2026-04-09T06:16:23.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-09T06:16:23.070", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/jimureport/"}, {"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/jimureport/issues/4587"}, {"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/jimureport/issues/4587#issuecomment-4152596778"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/790769"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356374"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356374/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.0"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "JimuReport", "source": "cna", "vendor": "jeecgboot"}, "product": "jimureport", "vendor": "jeecg"}], "analysis": {"en": {"generated_at": "2026-04-09T06:50:30.664036+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s upcoming patch that eliminates the untrusted code interpretation in the DriverManager.getConnection function; the vendor plans to release it in the next release. If a patch is not yet available, harden the environment by restricting database URL inputs to a whitelist of trusted protocols and hostnames, and validate or sanitize the dbUrl string before it is passed to the JDBC driver. Use network controls or firewall rules to block unauthorized network traffic that could supply malicious URLs. Finally, after remediation, test the application to verify that the DriverManager.getConnection no longer executes injected code."], "summary": {"action": "Patch Now", "impact": "Code Injection"}, "threat_synthesis": {"affected_systems": "Any installation of jeecgboot JimuReport up to and including version 2.3.0 is affected. The issue resides in the testConnection routine used to establish database connections, so systems that expose this functionality to external inputs are at risk. Operators should verify the version in use and consider whether database URLs can be influenced by untrusted users.", "description_and_impact": "A flaw in the DriverManager.getConnection function of the Data Source Handler component in jeecgboot JimuReport allows an attacker to inject code through manipulation of the dbUrl argument. This can lead to execution of arbitrary code on the host system, potentially compromising confidentiality, integrity, and availability of data and services. The vulnerability is identified as CWE\u201174 and CWE\u201194.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. The exploit has been made public and can be triggered remotely by supplying a crafted dbUrl. Because the code executes the supplied argument, successful exploitation results in remote code execution. While no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the publicly disclosed nature of the exploit and the potential impact elevate the risk, especially for environments that cannot be patched immediately."}}}}, "created": "2026-04-09T08:15:28.617057+00:00", "updated": "2026-04-09T08:24:55.589192+00:00", "vendors": ["jeecg", "jeecg$PRODUCT$jimureport"]}