CVE-2026-58375

Source
https://cve.org/CVERecord?id=CVE-2026-58375
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58375.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58375
Published
2026-06-30T15:58:47.799Z
Modified
2026-07-16T03:30:51.908619014Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export
Details

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58375.json"
}
References

Affected packages

Git / github.com/jeecgboot/jimureport

Affected ranges

Type
GIT
Repo
https://github.com/jeecgboot/jimureport
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.5.0"
        },
        {
            "fixed": "2.5.0"
        }
    ]
}

Affected versions

v1.*
v1.5.6
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.6.2-GA5
v1.6.4
v1.6.5
v1.6.6
v1.7.0
v1.7.2
v1.7.4
v1.7.52
v1.7.8
v1.8.0
v1.8.1
v1.9.1
v1.9.3
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.5
v2.2.0
v2.3.0
v2.3.2
v2.3.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58375.json"