CVE-2026-7305
Server-Side Request Forgery in xxl-job triggerJob Endpoint
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xuxueli | xxl-job | to 3.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Xuxueli xxl-job up to version 3.3.2, specifically in the triggerJob function of the trigger Endpoint. It involves manipulation of the argument addressList, which can lead to server-side request forgery (SSRF). This means an attacker can remotely cause the server to make unintended requests to other systems.
However, there is some doubt about the actual existence of this vulnerability because triggering the function requires manual activation, login, and access control, which limits the attack surface.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to perform server-side request forgery, potentially enabling them to make unauthorized requests from the server to internal or external systems. This could lead to information disclosure, unauthorized actions, or further attacks within the network.
However, since the trigger requires manual activation with login and access control, the risk may be limited to authorized users or administrators.