CVE-2026-11467
Deferred Deferred - Pending Action
Path Traversal in jshERP Application

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A security vulnerability has been detected in jishenghua jshERP up to 3.6. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such manipulation of the argument fileName leads to path traversal. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11467
EUVD
EUVD-2026-34998
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jishenghua jsherp to 3.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability, identified as CVE-2026-11467, exists in jishenghua jshERP versions up to 3.6. It is a stored path traversal flaw in the addAccountHeadAndDetail function of the addAccountHeadAndDetail endpoint. Attackers can manipulate the fileName argument in a JSON payload sent via a POST request without proper validation. This malicious path is stored in the database and later used in file operations such as copying or deleting files on the server. Because the input is not sanitized, attackers can provide traversal sequences (e.g., ../../../../etc/passwd) to access or manipulate unauthorized files remotely.

Impact Analysis

This vulnerability allows remote attackers to perform arbitrary file operations on the server hosting jshERP. Specifically, they can delete or manipulate files by exploiting the unsanitized file paths stored in the database. This can lead to unauthorized access, modification, or deletion of critical files, potentially disrupting system operations, causing data loss, or enabling further attacks.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /addAccountHeadAndDetail endpoint that include a fileName field containing path traversal sequences such as "../" or similar patterns.

You can inspect web server logs or use network monitoring tools to identify such requests.

For example, using command-line tools, you might search for suspicious payloads in logs with commands like:

  • grep -i 'POST /addAccountHeadAndDetail' /var/log/nginx/access.log | grep '\.\./'
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'fileName'

Additionally, querying the jsh_account_head database table for entries in the fileName field containing traversal patterns can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /addAccountHeadAndDetail endpoint to trusted users only, such as by implementing network-level access controls or authentication.

You should also monitor and block suspicious requests containing path traversal patterns in the fileName parameter.

If possible, sanitize or validate inputs on the server side to reject fileName values containing traversal sequences.

As a temporary workaround, avoid triggering batch deletion operations that use the stored file paths until a patch or fix is available.

Finally, keep an eye on official updates from the jshERP project for patches addressing this vulnerability.

Compliance Impact

The vulnerability allows remote attackers to perform arbitrary file operations, including deletion, on the server by exploiting unsanitized file paths. This can lead to unauthorized access or manipulation of sensitive files stored on the system.

Such unauthorized file access and manipulation could potentially result in exposure or loss of sensitive personal or health data, which may violate data protection regulations like GDPR or HIPAA that require safeguarding of personal and health information.

However, the provided information does not explicitly state the presence of personal or health data affected by this vulnerability or direct compliance impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart