CVE-2026-7303
Improper Resource Identifier Control in xxl-job Execution Log Handler
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xuxueli | xxl-job | to 3.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-99 | The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Xuxueli xxl-job software up to version 3.3.2, specifically in the logDetailCat function of the Execution Log Handler component. It involves improper control of resource identifiers due to manipulation of the logId argument. An attacker can exploit this flaw remotely, although the attack is considered highly complex and difficult to execute. The vulnerability allows unauthorized manipulation related to resource identifiers.
Upgrading to version 3.4.0 is recommended to fix this issue.
How can this vulnerability impact me? :
The vulnerability can lead to improper control over resource identifiers, which may allow an attacker to manipulate or access execution logs in unintended ways. Although the impact on confidentiality is low and there is no impact on integrity or availability, unauthorized access to logs could expose sensitive information or system details.
The attack is difficult to perform and requires high complexity, but since an exploit is publicly available, there is a risk of exploitation if the system is not updated.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade the affected component, Xuxueli xxl-job, to version 3.4.0 or later.