CVE-2026-7604

Source
https://cve.org/CVERecord?id=CVE-2026-7604
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7604.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7604
Published
2026-05-02T04:45:12.477Z
Modified
2026-07-15T01:48:54.226840545Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
JeecgBoot OpenApi Service OpenApiController.java OpenApiController.call server-side request forgery
Details

A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release.

Database specific
{
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7604.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/jeecgboot/jeecgboot

Affected ranges

Type
GIT
Repo
https://github.com/jeecgboot/jeecgboot
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "3.9.0"
        },
        {
            "last_affected": "3.9.0"
        },
        {
            "introduced": "3.9.1"
        },
        {
            "last_affected": "3.9.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

3.*
3.9.0
3.9.1
v3.*
v3.9.0last
v3.9.1
v3.9.1last

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7604.json"