CVE-2026-1746
SQL Injection in JeecgBoot 3.9.0 Online Report API
Publication date: 2026-02-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecg | jeecg_boot | 3.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1746 is an SQL injection vulnerability in JeecgBoot version 3.9.0, specifically in the Online Report API endpoint /JeecgBoot/sys/api/loadDictItemByKeyword. The vulnerability occurs because the 'keyword' argument is improperly handled, allowing attackers to manipulate SQL queries by injecting malicious SQL code. This flaw enables remote attackers to execute arbitrary SQL commands on the database, potentially compromising the system's data and functionality. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to execute unauthorized SQL commands on your database through the vulnerable API endpoint. This can lead to unauthorized data access, data modification, or deletion, compromising the confidentiality, integrity, and availability of your system. Since the exploit is publicly available and easy to execute, it increases the risk of exploitation and potential damage to your business applications. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring and testing the vulnerable API endpoint `/JeecgBoot/sys/api/loadDictItemByKeyword` for SQL injection attempts. You can use tools like sqlmap to test the endpoint for SQL injection by sending crafted requests with payloads in the `keyword` parameter. For example, a command using sqlmap might be: `sqlmap -u "http://target/JeecgBoot/sys/api/loadDictItemByKeyword?keyword=test" --risk=3 --level=5 --batch`. Additionally, monitoring web server logs for unusual or suspicious SQL syntax patterns in requests to this endpoint can help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint, such as applying network-level controls or web application firewall (WAF) rules to block suspicious SQL injection payloads targeting the `keyword` parameter. Since no vendor patch or fix is currently available, consider disabling or limiting the use of the affected Online Report API component if possible. Also, consider replacing the affected product or upgrading to a version without this vulnerability once available. Monitoring for exploitation attempts and applying general SQL injection protections are recommended. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is an SQL injection in JeecgBoot 3.9.0 that allows remote attackers to execute arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the affected system.
Such a compromise could lead to unauthorized access or manipulation of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.
However, there is no explicit information provided in the available resources about direct effects or assessments related to compliance with these standards.