{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7305", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-28T11:45:12.858Z", "datePublished": "2026-04-28T19:15:13.287Z", "dateUpdated": "2026-04-28T19:15:13.287Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T19:15:13.287Z"}, "title": "Xuxueli xxl-job trigger Endpoint XxlJobServiceImpl.java triggerJob server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "Xuxueli", "product": "xxl-job", "versions": [{"version": "3.3.0", "status": "affected"}, {"version": "3.3.1", "status": "affected"}, {"version": "3.3.2", "status": "affected"}], "cpes": ["cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*"], "modules": ["trigger Endpoint"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): \"Triggers are manually activated and involve login and access control, thus requiring management.\" The pull request by the researcher got rejected because of that."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-28T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-28T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-28T13:50:25.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "larlarua (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359960", "name": "VDB-359960 | Xuxueli xxl-job trigger Endpoint XxlJobServiceImpl.java triggerJob server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359960/cti", "name": "VDB-359960 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/803076", "name": "Submit #803076 | xuxueli https://github.com/xuxueli/xxl-job v3.3.2 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3935", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/xuxueli/xxl-job/pull/3937", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/xuxueli/xxl-job/", "tags": ["product"]}], "tags": ["disputed"]}}}

{}

{"cveTags": [{"sourceIdentifier": "cna@vuldb.com", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): \"Triggers are manually activated and involve login and access control, thus requiring management.\" The pull request by the researcher got rejected because of that."}], "id": "CVE-2026-7305", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-28T22:16:50.893", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/xuxueli/xxl-job/"}, {"source": "cna@vuldb.com", "url": "https://github.com/xuxueli/xxl-job/issues/3935"}, {"source": "cna@vuldb.com", "url": "https://github.com/xuxueli/xxl-job/pull/3937"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/803076"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359960"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359960/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.3.2"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "xxl-job", "source": "cna", "vendor": "Xuxueli"}, "product": "xxl-job", "vendor": "xuxueli"}], "analysis": {"en": {"generated_at": "2026-04-29T01:18:03.775619+00:00", "value": {"mitigation_remediation": ["Deploy an updated release of xxl\u2011job that contains the SSRF fix (e.g., version 3.3.3 or later, if available).", "Restrict the triggerJob API to users with explicit administrative privileges and enforce strong authentication and role\u2011based access controls.", "Configure firewall or network segmentation rules to block outbound requests from the xxl\u2011job server to sensitive internal networks unless explicitly permitted."], "summary": {"action": "Assess Impact", "impact": "Server-Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Xuxueli xxl\u2011job component, specifically the triggerJob method in the xxl\u2011job\u2011admin module, in all releases up to and including version 3.3.2.", "description_and_impact": "A manipulation of the addressList argument within the triggerJob function of Xuxueli xx\u2011job\u2019s trigger endpoint enables server\u2011side request forgery. By providing arbitrary URLs, an attacker could cause the server to issue unintended HTTP requests to internal or external resources. The official description states that this flaw can be triggered remotely and that an exploit is publicly available. However, the project maintainer notes that triggering a job requires authentication and appropriate management privileges, implying that an attacker would need valid credentials to exploit the vulnerability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity flaw. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Attack likely requires remote access to the triggerJob API combined with valid administrative authentication. If exploited, the server\u2011side request forgery could allow an attacker to reach internal services, exfiltrate data, or pivot to further network targets. The overall risk is moderate, primarily limited by the need for authorized access to the endpoint."}}}}, "created": "2026-04-28T23:30:05.811238+00:00", "updated": "2026-04-29T01:30:06.144183+00:00", "vendors": ["xuxueli", "xuxueli$PRODUCT$xxl-job"]}