{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5999", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-09T13:03:06.047Z", "datePublished": "2026-04-10T01:45:14.036Z", "dateUpdated": "2026-04-10T01:45:14.036Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-10T01:45:14.036Z"}, "title": "JeecgBoot SysAnnouncementController improper authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "n/a", "product": "JeecgBoot", "versions": [{"version": "3.9.0", "status": "affected"}, {"version": "3.9.1", "status": "affected"}], "modules": ["SysAnnouncementController"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirmed the issue and will provide a fix in the upcoming release."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C"}}], "timeline": [{"time": "2026-04-09T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-09T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-09T15:08:11.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "XinX (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356553", "name": "VDB-356553 | JeecgBoot SysAnnouncementController improper authorization", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356553/cti", "name": "VDB-356553 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793656", "name": "Submit #793656 | jeecgboot web 3.9.1 Improper Access Controls", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/issues/9508", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/issues/9508#issuecomment-4199090102", "tags": ["issue-tracking"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/", "tags": ["product"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirmed the issue and will provide a fix in the upcoming release."}], "id": "CVE-2026-5999", "lastModified": "2026-04-10T03:16:04.053", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-10T03:16:04.053", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/JeecgBoot/"}, {"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/JeecgBoot/issues/9508"}, {"source": "cna@vuldb.com", "url": "https://github.com/jeecgboot/JeecgBoot/issues/9508#issuecomment-4199090102"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/793656"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356553"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356553/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.9.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.9.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 88.0, "source": "matching"}]}, "original": {"product": "JeecgBoot", "source": "cna", "vendor": "n/a"}, "product": "jeecgboot", "vendor": "jeecg"}], "analysis": {"en": {"generated_at": "2026-04-10T03:20:53.285348+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s forthcoming patch or upgrade to a version newer than 3.9.1 when it becomes available.", "If an immediate update is not possible, restrict network access to the SysAnnouncementController endpoint to trusted IP ranges or authenticated users only.", "Monitor application logs for unauthorized access attempts to announcement endpoints and investigate any anomalies.", "Verify that authentication and role\u2011based access controls are correctly configured to prevent similar authorization bypasses."], "summary": {"action": "Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "JeecgBoot is affected. Versions up to and including 3.9.1 are vulnerable. All installations of JeecgBoot that provide the SysAnnouncementController function are at risk until a patch is applied.", "description_and_impact": "An improper authorization flaw exists in the SysAnnouncementController component of JeecgBoot. The vulnerability allows an attacker to bypass normal access controls and perform actions that should be restricted to authenticated or privileged users. This can enable viewing, creating, editing, or deleting system announcements without proper authorization. The flaw is exploitable remotely, and the exploit has already been disclosed publicly.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium impact. EPSS data is not available, and the vulnerability is not listed in the KEV catalog. The analysis infers that the attack vector is remote, meaning an external attacker can trigger the flaw over the network. Since the exploit has been disclosed and may already be in use, systems remain at moderate risk until the vendor releases a fix."}}}}, "created": "2026-04-10T08:36:03.596072+00:00", "updated": "2026-04-10T09:27:04.337147+00:00", "vendors": ["jeecg", "jeecg$PRODUCT$jeecgboot"]}