JeecgBoot SQL Injection Vulnerability
JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/cgreport/head/parseSql endpoint, which allows bypassing SQL protections.
Advisories for Maven/Org.jeecgframework.boot/Jeecg-Boot-Base-Core package
2025
2023
Jeecg-boot is vulnerable to SQL injection
Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.
2022
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A Cross Site Scripting (XSS) vulnerabilitiy exits in jeecg-boot 3.0 in /jeecg-boot/jmreport/view with a mouseover event.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /jeecg-boot/sys/user/queryUserByDepId.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
In JeecgBoot, there is a SQL injection vulnerability that can operate the database with root privileges.