CVE-2026-5848
Received Received - Intake
Remote Code Injection in jeecgboot JimuReport Data Source Handler

Publication date: 2026-04-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirmed the issue and will provide a fix in the upcoming release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5848
EUVD
EUVD-2026-20858
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecgboot jimureport to 2.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in jeecgboot JimuReport up to version 2.3.0, specifically in the function DriverManager.getConnection within the /drag/onlDragDataSource/testConnection endpoint of the Data Source Handler component.

The issue arises because the dbUrl argument is not properly validated, allowing an attacker to manipulate it to inject malicious code.

By exploiting the INIT parameter in H2 JDBC URLs, an attacker can execute arbitrary Java code during the database connection initialization phase, leading to remote code execution (RCE).

This attack can be initiated remotely by an attacker who has access to the datasource configuration interface.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary system commands remotely on the affected system by injecting malicious code through the dbUrl parameter.

Successful exploitation can lead to remote code execution, which may result in unauthorized control over the system, data theft, data manipulation, or disruption of services.

Because the attacker can run system commands, they could potentially install malware, create backdoors, or escalate privileges, severely compromising the security and integrity of the affected environment.

Detection Guidance

This vulnerability can be detected by monitoring and intercepting requests to the /drag/onlDragDataSource/testConnection endpoint, especially those involving the dbUrl parameter in datasource configuration requests.

Using a packet capture or interception tool, you can capture the JSON request body when testing datasource connections and inspect the dbUrl parameter for suspicious payloads that exploit the INIT parameter in H2 JDBC URLs.

Example detection steps include:

  • Log into the admin panel and navigate to the Report Workspace and Data Source configuration.
  • Use a packet capture tool (e.g., Wireshark, tcpdump, or a proxy like Burp Suite) to intercept the 'Test' connection request.
  • Inspect the dbUrl parameter in the intercepted JSON request for suspicious H2 JDBC URLs containing the INIT parameter with embedded commands.

No specific command-line commands are provided, but using interception tools to analyze the dbUrl parameter during datasource test connections is the recommended approach.

Mitigation Strategies

Immediate mitigation steps include restricting access to the datasource configuration interface to trusted and authenticated users only, as exploitation requires access to this admin panel.

Avoid using or testing datasource connections with untrusted or arbitrary dbUrl parameters, especially those using H2 JDBC URLs with the INIT parameter.

Monitor and block suspicious payloads targeting the /drag/onlDragDataSource/testConnection endpoint.

Apply the vendor's forthcoming patch or update to a fixed version of jimureport as soon as it becomes available.

Compliance Impact

The vulnerability allows remote code execution through manipulation of the dbUrl parameter in the Data Source Handler component, which could lead to unauthorized system command execution.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly detail the direct impact on compliance frameworks or specific regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart