CVE-2026-7605
Deferred Deferred - Pending Action
Server-Side Request Forgery in JeecgBoot

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: VulDB

Description
A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the component uploadImgByHttpEndpoint. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading the affected component is recommended. The vendor confirmed the issue and will provide a fix in the upcoming release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7605
EUVD
EUVD-2026-26753
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecgboot jeecgboot to 3.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7605 is a Server-Side Request Forgery (SSRF) vulnerability in the JeecgBoot framework versions up to 3.9.1. It exists in the /sys/common/uploadImgByHttp endpoint, where the application takes a user-controlled URL parameter (fileUrl) from a JSON request and performs an outbound HTTP request without validating the URL beforehand.

The vulnerability arises because the server downloads the external resource before performing any security checks on the file type, allowing an authenticated attacker to force the server to fetch arbitrary internal or external resources.

This flaw affects the CommonController.java and HttpFileToMultipartFileUtil.java components, specifically the downloadImageData function, which executes HTTP requests without protections like IP restrictions, URL whitelisting, or protocol validation.

Impact Analysis

This SSRF vulnerability can be exploited by an attacker to make the server perform unauthorized HTTP requests to internal or external systems.

  • Internal network scanning and service enumeration, potentially revealing sensitive infrastructure details.
  • Accessing sensitive cloud metadata services, which may expose credentials or other confidential information.
  • Potentially stealing sensitive data or causing unauthorized interactions with internal services.

Since the exploit is publicly available, attackers can remotely initiate these attacks, increasing the risk of compromise.

Detection Guidance

This vulnerability can be detected by monitoring for POST requests to the endpoint `/sys/common/uploadImgByHttp` that include a `fileUrl` parameter in the JSON body. Anomalous or unexpected outbound HTTP requests initiated by the server to internal or external URLs, especially those targeting internal network resources or cloud metadata services, may indicate exploitation attempts.

To detect potential exploitation, you can inspect web server logs or use network monitoring tools to identify such POST requests and the resulting outbound connections.

  • Use tools like `curl` or `httpie` to simulate requests and observe server behavior, e.g.:
  • curl -X POST https://yourserver/sys/common/uploadImgByHttp -H "Content-Type: application/json" -d '{"fileUrl":"http://169.254.169.254/latest/meta-data/"}'
  • Check server logs for outbound HTTP requests triggered by such inputs.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP traffic from the server to suspicious internal IPs or metadata service IPs.
Mitigation Strategies

The immediate recommended step is to upgrade JeecgBoot to a version where this vulnerability is fixed once the vendor releases the patch.

Until an official fix is available, you should consider implementing the following mitigations:

  • Restrict access to the vulnerable endpoint `/sys/common/uploadImgByHttp` to trusted users only, as the vulnerability requires authentication.
  • Implement network-level restrictions to prevent the server from making outbound HTTP requests to internal IP ranges or sensitive metadata service IPs.
  • Add input validation or filtering on the `fileUrl` parameter to block requests containing internal or suspicious URLs.
  • Monitor logs and network traffic for signs of exploitation attempts.
Compliance Impact

The vulnerability in JeecgBoot (CVE-2026-7605) is a server-side request forgery (SSRF) flaw that allows an attacker to make the server fetch arbitrary internal or external resources without proper validation. This can lead to exposure of sensitive data such as internal service information or cloud metadata credentials.

Such exposure of sensitive data can potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access or disclosure.

Because the vulnerability allows unauthorized internal network scanning and data exposure, organizations using affected versions of JeecgBoot may face increased risk of data breaches or unauthorized data access, which could lead to non-compliance with these standards.

Mitigating this vulnerability by upgrading the affected component is recommended to maintain compliance and reduce the risk of data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart