CVE-2025-9796
- Source
- https://cve.org/CVERecord?id=CVE-2025-9796
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9796.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-9796
- Published
- 2025-09-01T22:15:30.793Z
- Modified
- 2026-04-12T22:57:44.750721Z
- Severity
-
- 4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A vulnerability was found in thinkgem JeeSite up to 5.12.1. This affects the function decodeUrl2 of the file common/src/main/java/com/jeesite/common/codec/EncodeUtils.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 5.13.0 mitigates this issue. The patch is identified as 63773c97a56bdb3649510e83b66c16db4754965b. Upgrading the affected component is recommended.
- References
-
- https://github.com/thinkgem/jeesite5/releases/tag/v5.13.0.springboo3
- https://vuldb.com/?id.322111
- https://vuldb.com/?submit.641125
- https://github.com/thinkgem/jeesite5/issues/33#issuecomment-3197374560
- https://vuldb.com/?ctiid.322111
- https://github.com/thinkgem/jeesite5/issues/33
- https://github.com/thinkgem/jeesite5/issues/33#issue-3330107533
- https://github.com/thinkgem/jeesite5/commit/63773c97a56bdb3649510e83b66c16db4754965b
Affected packages
Git / github.com/thinkgem/jeesite
Affected ranges
- Type
- GIT
- Repo
- https://github.com/thinkgem/jeesite
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "5.13.0" } ] }
- Type
- GIT
- Repo
- https://github.com/thinkgem/jeesite5
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v4.*
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.8
v4.1.8.1
v4.1.8.2
v4.1.9
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.3.1
v4.2.3.2
v4.3.0
v4.3.0.2
v5.*
v5.0.0
v5.0.0.1
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0
v5.10.0.springboot3
v5.10.1.springboo3
v5.11.0.springboo3
v5.11.1.springboo3
v5.12.0.springboo3
v5.12.0.vue
v5.12.1.springboo3
v5.12.1.vue
v5.2.0
v5.2.1
v5.2.2
v5.3.0
v5.3.1
v5.3.2
v5.4.0
v5.5.0
v5.5.1
v5.5.2
v5.6.0
v5.7.0
v5.7.1
v5.8.0
v5.8.1
v5.9.0
v5.9.1
v5.9.1.springboot3
v5.9.2.springboot3
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9796.json"
vanir_signatures_modified
"2026-04-12T22:57:44Z"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 2787.0,
"function_hash": "113870966641587280007482763233031363271"
},
"source": "https://github.com/thinkgem/jeesite5/commit/63773c97a56bdb3649510e83b66c16db4754965b",
"id": "CVE-2025-9796-014ccdff",
"signature_type": "Function",
"target": {
"function": "main",
"file": "common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"18670234902375744585066105999701082970",
"140576376356235444879226643059430008416",
"226732589254355552802202599867960218502",
"71231158979486450470282274458386414914"
]
},
"source": "https://github.com/thinkgem/jeesite5/commit/63773c97a56bdb3649510e83b66c16db4754965b",
"id": "CVE-2025-9796-15998e41",
"signature_type": "Line",
"target": {
"file": "common/src/main/java/com/jeesite/common/codec/EncodeUtils.java"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"248868870233761081674076203444977268718",
"20764808413179010707916124788926573678",
"14598931539656000117735059650924205636",
"47088028717140871837376167593144524440"
]
},
"source": "https://github.com/thinkgem/jeesite5/commit/63773c97a56bdb3649510e83b66c16db4754965b",
"id": "CVE-2025-9796-4aec5c9a",
"signature_type": "Line",
"target": {
"file": "common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java"
}
}
]