CVE-2026-8195
Stored XSS in JeecgBoot up to 3.9.1
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecg | jeecgboot | to 3.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8195 is a stored cross-site scripting (XSS) vulnerability in JeecgBoot versions up to 3.9.1. It occurs due to improper file type filtering and insecure file serving of SVG files. Authenticated users can upload SVG files containing malicious JavaScript code by bypassing a flawed filter that incorrectly blocks standard SVG files based on their header. Attackers omit the XML declaration in the SVG file to evade detection. These files are then served publicly without authentication, allowing the embedded JavaScript to execute in the browsers of users who access the file.
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, phishing attacks, and arbitrary HTML rendering within the application's origin. Because the malicious SVG files are served publicly and execute JavaScript in users' browsers, attackers can steal sensitive information, impersonate users, or manipulate the web interface to deceive users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious SVG files uploaded via the /sys/common/upload endpoint in JeecgBoot versions up to 3.9.1. Specifically, look for SVG files that omit the XML declaration (<?xml) to bypass the file type filter.
You can verify if such files exist by listing uploaded SVG files and inspecting their contents for embedded JavaScript.
- Use curl or wget to access the uploaded SVG files via their public URLs to see if they execute scripts.
- Example command to list SVG files in the upload directory (adjust path accordingly): ls -l /path/to/uploaded/files/*.svg
- Example command to check for XML declaration in SVG files: grep -L '<?xml' /path/to/uploaded/files/*.svg
- Example command to fetch and inspect an SVG file from the server: curl -i http://yourserver/{filename}.svg
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Add Content-Disposition headers to force file downloads instead of inline rendering.
- Implement Content-Security-Policy (CSP) headers to restrict execution of inline scripts.
- Sanitize SVG files on upload to remove any embedded JavaScript.
- Improve the file type filter to correctly detect SVG files and block malicious uploads.
- Serve uploaded files from a separate domain to isolate them from the application origin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to upload malicious SVG files that execute stored cross-site scripting (XSS) attacks, potentially leading to session hijacking, phishing, and arbitrary HTML rendering within the application's origin.
Such security weaknesses can undermine the confidentiality and integrity of user data, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Failure to mitigate this vulnerability may result in unauthorized access or exposure of personal or sensitive information, thereby impacting compliance with these regulations.