CVE-2026-3404

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-3404
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3404.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-3404
Published
2026-03-02T02:16:19.800Z
Modified
2026-04-10T05:42:59.221335Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw has been found in thinkgem JeeSite up to 5.15.1. Impacted is an unknown function of the file /com/jeesite/common/shiro/cas/CasOutHandler.java of the component Endpoint. Executing a manipulation can lead to xml external entity reference. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/thinkgem/jeesite

Affected ranges

Type
GIT
Repo
https://github.com/thinkgem/jeesite
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
7da56bb2423761e71bf19dfad4964c9b06791fd1
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.15.1"
        }
    ]
}

Affected versions

v5.*
v5.0.3
v5.0.4
v5.1.0
v5.12.0.vue
v5.12.1.vue
v5.13.0.vue
v5.13.1.vue
v5.14.0.vue
v5.14.1.vue
v5.15.0.vue
v5.15.1.vue
v5.2.0
v5.2.1
v5.2.2
v5.3.0
v5.3.1
v5.3.2
v5.4.0
v5.5.0
v5.5.1
v5.5.2
v5.6.0
v5.7.0
v5.7.1
v5.8.0
v5.8.1
v5.9.0
v5.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3404.json"