CVE-2026-11457: JeeWMS JimuReport Injection Vulnerability – Exploitation & Remediation Guide
A vulnerability has been discovered in JeeWMS, an open-source warehouse management system. The flaw exists in the JimuReport test-connection endpoint and allows attackers to manipulate database connection parameters (database type, driver, URL, username, and password) to inject malicious commands. An attacker on the network can exploit this without authentication to compromise the confidentiality, integrity, and availability of the system. Public exploit code is already available, increasing the practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-707, CWE-74
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code of the file /base-boot/jmreport/testConnection of the component JimuReport test-connection Endpoint. Performing a manipulation of the argument dbType/dbDriver/dbUrl/dbUsername/dbPassword results in injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11457 is an injection vulnerability affecting erzhongxmu JeeWMS up to commit 141740afb2ba14d441c82a833d0a418d07ca2d69. The vulnerability resides in the /base-boot/jmreport/testConnection endpoint of the JimuReport component. The endpoint fails to properly validate or sanitize user-supplied input in the dbType, dbDriver, dbUrl, dbUsername, and dbPassword parameters. This inadequate input handling permits argument injection, allowing remote unauthenticated attackers to execute arbitrary payloads. The CVSS v3.1 score of 7.3 (HIGH) reflects the network-accessible nature of the endpoint, lack of authentication requirement, and impact across confidentiality, integrity, and availability.
Business impact
For organizations deploying JeeWMS, this vulnerability poses a direct threat to database security and warehouse operations continuity. An attacker could extract sensitive data from connected databases, modify critical inventory records, or disable warehouse systems entirely. The existence of public exploit code dramatically shortens the window between vulnerability disclosure and potential exploitation, particularly affecting businesses that rely on JeeWMS for supply chain visibility or order fulfillment. Unpatched instances are exposed to both opportunistic and targeted attacks.
Affected systems
JeeWMS installations up to commit 141740afb2ba14d441c82a833d0a418d07ca2d69 are vulnerable. The project uses a rolling release model without discrete version numbering, making it difficult to identify affected releases through traditional version comparison. Organizations should verify their deployed commit hash against the disclosed commit to determine exposure. Any instance exposing the /base-boot/jmreport/testConnection endpoint to network access is at risk.
Exploitability
This vulnerability is readily exploitable. No authentication is required to access the endpoint, and the attack surface is straightforward: manipulation of five database connection parameters. Network-level access is sufficient; the endpoint does not require user interaction or special privileges. The release of public exploit code confirms proof-of-concept availability, significantly increasing the likelihood of active exploitation in the wild. Attack complexity is low, and the vulnerability can be triggered with simple HTTP requests, making it accessible to attackers with basic technical skills.
Remediation
Apply the latest version of JeeWMS after the disclosed vulnerable commit. Because the project uses continuous delivery, consult the official JeeWMS repository for the most recent commit that addresses this injection flaw. Additionally, implement network-level controls to restrict access to the /base-boot/jmreport/testConnection endpoint to trusted hosts only. If immediate patching is not possible, disable the JimuReport test-connection functionality or remove the endpoint entirely if not critical to operations.
Patch guidance
Monitor the erzhongxmu JeeWMS repository for commits that remediate this injection vulnerability post-2026-06-07. Since the vendor did not respond to early disclosure attempts, patches may come through community contributions or updates without formal vendor communication. Verify any applied patches by: (1) confirming the deployed commit is after 141740afb2ba14d441c82a833d0a418d07ca2d69, (2) reviewing code changes to the /base-boot/jmreport/testConnection endpoint to ensure input validation is in place, and (3) testing that malformed dbType, dbDriver, dbUrl, dbUsername, and dbPassword parameters are properly rejected or escaped.
Detection guidance
Monitor for HTTP requests to /base-boot/jmreport/testConnection that contain unusual or suspicious database parameter values. Specifically, look for payloads in dbType, dbDriver, dbUrl, dbUsername, or dbPassword fields that contain special characters, SQL keywords, or command-line syntax (e.g., semicolons, pipes, backticks). Web application firewalls should be configured to detect and block requests with parameter manipulation attempts. Network intrusion detection systems should alert on database connection attempts originating from the application server to unexpected hosts or ports, which may indicate successful exploitation.
Why prioritize this
HIGH priority remediation is warranted due to the combination of network accessibility, lack of authentication requirements, public exploit availability, and direct impact on data confidentiality and system availability. The rolling release model creates additional complexity in tracking affected instances, increasing the risk of inadvertent exposure. Organizations managing critical warehouse or supply chain operations should treat this as urgent.
Risk score, explained
The CVSS v3.1 score of 7.3 (HIGH) reflects an attack vector that is network-based (AV:N), requires no special conditions to exploit (AC:L), does not require authentication (PR:N), needs no user interaction (UI:N), and affects only the vulnerable component without scope expansion (S:U). The impact across confidentiality, integrity, and availability (each rated Low) aggregates to a HIGH severity rating. The presence of public exploit code and lack of vendor response further elevate practical risk beyond the base CVSS assessment.
Frequently asked questions
How do I determine if my JeeWMS deployment is vulnerable?
Check the current commit hash of your deployed JeeWMS instance. If it is at or before commit 141740afb2ba14d441c82a833d0a418d07ca2d69, your installation is vulnerable. You can retrieve the commit hash from the application's version information or by inspecting the .git directory if source code is available.
Can this vulnerability be exploited without network access to the application?
No. The vulnerability requires the /base-boot/jmreport/testConnection endpoint to be reachable over the network. However, if your JeeWMS instance is exposed directly to the internet or accessible from untrusted networks, exploitation is straightforward and does not require authentication.
What happens if an attacker successfully exploits this vulnerability?
An attacker can inject arbitrary database connection parameters to connect to unintended databases, potentially exfiltrating sensitive data, modifying records, or executing database commands depending on the target database permissions and the nature of the injection payload. The scope of damage depends on what data the connected database holds and the privileges of the database user.
Should I wait for an official vendor patch or can I apply unofficial fixes?
Given that the vendor did not respond to early disclosure and the project uses rolling releases, official vendor patches may not be forthcoming in a traditional sense. Community-contributed fixes in the main repository may be your most reliable source. Verify any fix by reviewing the code changes and testing in a non-production environment before deployment.
This analysis is based on publicly disclosed vulnerability data as of 2026-06-17. The vendor (erzhongxmu) did not respond to early disclosure, and no official patch version or release has been confirmed; organizations should verify all remediation steps against the official JeeWMS repository. Public exploit code for this vulnerability exists, and active exploitation may be occurring. This analysis does not constitute legal advice, and organizations should review their own risk posture and compliance obligations before taking remediation actions. SEC.co makes no warranty regarding the completeness or accuracy of patch availability or vendor statements. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10220HIGHNousResearch hermes-agent Injection Vulnerability – Patch Guidance
- CVE-2026-10221HIGHNousResearch hermes-agent Remote Code Injection Vulnerability
- CVE-2026-10210MEDIUMAstrBot 4.23.6 Prompt Injection Vulnerability
- CVE-2026-10222MEDIUMNousResearch hermes-agent Environment Variable Injection Vulnerability
- CVE-2026-10223MEDIUMNousResearch hermes-agent Injection Vulnerability – Exploit Available
- CVE-2026-10661MEDIUMInput Injection in blender-mcp — MEDIUM Severity Authentication Required
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login