{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-43028", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T19:30:02.963Z", "dateReserved": "2024-08-05T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T16:03:27.041Z"}, "descriptions": [{"lang": "en", "value": "A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://pan.baidu.com/s/1h2RGEvxuvsKtsn2-TlFlmA?pwd=gf5r"}, {"url": "https://gist.github.com/aqyoung/e3b7ba5d8b8261df7d09931dbe779b3b"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:27:46.494836Z", "id": "CVE-2024-43028", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:30:02.963Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-43028", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T19:27:46.494836Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:28:13.303Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://pan.baidu.com/s/1h2RGEvxuvsKtsn2-TlFlmA?pwd=gf5r"}, {"url": "https://gist.github.com/aqyoung/e3b7ba5d8b8261df7d09931dbe779b3b"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T16:03:27.041Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43028", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:30:02.963Z", "dateReserved": "2024-08-05T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-01T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request."}], "id": "CVE-2024-43028", "lastModified": "2026-04-03T16:11:11.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T17:16:57.220", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/aqyoung/e3b7ba5d8b8261df7d09931dbe779b3b"}, {"source": "cve@mitre.org", "url": "https://pan.baidu.com/s/1h2RGEvxuvsKtsn2-TlFlmA?pwd=gf5r"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.5.3]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 80.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "jeecgboot", "vendor": "jeecg"}], "analysis": {"en": {"generated_at": "2026-04-02T02:32:52.562205+00:00", "value": {"mitigation_remediation": ["Update to JEECG Boot v3.5.4 or later, which removes the vulnerable /jmreport/show component.", "If an update cannot be applied immediately, block external access to the /jmreport/show URI with a firewall or application gateway rule.", "Apply input validation or sandboxing to the /jmreport/show endpoint to prevent command execution until a patch is available.", "Ensure the application is not exposed to the public internet; consider isolating the instance within a secure network segment."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via command injection"}, "threat_synthesis": {"affected_systems": "JEECG Boot web framework, versions 3.0.0 to 3.5.3 inclusive. No vendor name was specified, but the vulnerability exists in the open\u2011source JEECG Boot project.", "description_and_impact": "A command injection flaw in the /jmreport/show endpoint of JEECG Boot versions 3.0.0 through 3.5.3 lets an unauthenticated attacker embed arbitrary shell commands in an HTTP request. Exploitation could give attacker full control over the host, enabling data theft, system compromise, or further lateral movement. The weakness stems from unsanitized input being passed to system calls, mapping closely to CWE-77.", "risk_and_exploitability": "The CVSS base score of 9.8 places this flaw in the critical category. EPSS data is unavailable, and the flaw is not listed in the CISA KEV catalog, but the high severity score and ease of exploitation over the network make the risk immediate and significant. The vulnerability is exploitable via a crafted HTTP request without authentication, allowing arbitrary command execution."}}}}, "created": "2026-04-02T07:51:33.179293+00:00", "title": "Command Injection in JEECG Boot /jmreport/show Allows Arbitrary Code Execution", "updated": "2026-04-03T08:59:13.158672+00:00", "vendors": ["jeecg", "jeecg$PRODUCT$jeecgboot"]}