{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-40489", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T19:24:05.109Z", "dateReserved": "2024-07-05T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T15:58:09.356Z"}, "descriptions": [{"lang": "en", "value": "There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://pan.baidu.com/s/14WOPXhRHoxr4FRKGme59ug?pwd=sktp"}, {"url": "https://gist.github.com/aqyoung/2fd6329ceb06b731a621356921f0d5f0"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:22:30.196135Z", "id": "CVE-2024-40489", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:24:05.109Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-40489", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T19:22:30.196135Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:22:56.495Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://pan.baidu.com/s/14WOPXhRHoxr4FRKGme59ug?pwd=sktp"}, {"url": "https://gist.github.com/aqyoung/2fd6329ceb06b731a621356921f0d5f0"}], "descriptions": [{"lang": "en", "value": "There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T15:58:09.356Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40489", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:24:05.109Z", "dateReserved": "2024-07-05T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-01T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests."}], "id": "CVE-2024-40489", "lastModified": "2026-04-03T16:11:11.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T17:16:57.070", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/aqyoung/2fd6329ceb06b731a621356921f0d5f0"}, {"source": "cve@mitre.org", "url": "https://pan.baidu.com/s/14WOPXhRHoxr4FRKGme59ug?pwd=sktp"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.5.3]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 80.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "jeecgboot", "vendor": "jeecg"}], "analysis": {"en": {"generated_at": "2026-04-02T02:33:05.990679+00:00", "value": {"mitigation_remediation": ["Apply an official patch or upgrade Jeecg Boot to a version newer than 3.5.3", "If a patch is not yet available, restrict external HTTP access to the Jeecg Boot application using firewall rules or network segmentation", "Implement rigorous input validation to block malicious characters before processing"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Jeecg Boot products, specifically versions 3.0.0 through 3.5.3, are affected. The impact extends to any deployment of these versions where HTTP request processing is exposed to untrusted input.", "description_and_impact": "The vulnerability is an injection flaw in Jeecg Boot versions 3.0.0 to 3.5.3 caused by lax character filtering. This flaw permits attackers to embed malicious code within specially crafted HTTP requests, resulting in the execution of arbitrary code on the affected system. The flaw is classified under CWE\u201194, indicating a code injection weakness that can compromise confidentiality, integrity, and availability of the application and underlying host.", "risk_and_exploitability": "The vulnerability carries a high severity with a CVSS score of 9.8. No EPSS data is provided, and the entry is not listed in CISA\u2019s KEV catalog. It is likely that the attack vector requires network access to the application\u2019s HTTP interface; however, detailed exploitation prerequisites are not explicitly described in the available data."}}}}, "created": "2026-04-02T07:51:34.149713+00:00", "title": "Injection Vulnerability Allowing Arbitrary Code Execution in Jeecg Boot", "updated": "2026-04-03T08:59:14.149926+00:00", "vendors": ["jeecg", "jeecg$PRODUCT$jeecgboot"]}