CVE-2026-11467: Path Traversal in jshERP Accounting Software – Analysis & Patch Guidance
A path traversal vulnerability exists in jishenghua jshERP versions up to 3.6. An authenticated attacker can manipulate the fileName parameter in the addAccountHeadAndDetail endpoint to write or access files outside the intended directory. Because the vulnerability requires valid credentials to exploit, the immediate risk is constrained to insider threats or compromised accounts. However, the public disclosure of the issue increases the likelihood of exploitation attempts.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in jishenghua jshERP up to 3.6. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such manipulation of the argument fileName leads to path traversal. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11467 is a path traversal flaw (CWE-22) in the AccountHeadService.java component of jshERP-boot. The addAccountHeadAndDetail endpoint fails to properly validate the fileName argument, allowing an authenticated user to inject path traversal sequences (such as ../) to read, write, or overwrite arbitrary files on the server. The vulnerability operates at CVSS 3.1 score 5.4 (MEDIUM severity) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, indicating network-accessible attack surface, low attack complexity, requirement for low privileges (authentication), and integrity and availability impact. No confidentiality impact is scored.
Business impact
Organizations running jshERP up to version 3.6 face operational disruption risk if an authenticated user exploits this flaw to corrupt accounting records, configuration files, or application state files. The lack of confidentiality impact means data exfiltration is not a primary concern, but integrity and availability of critical financial data could be compromised. Insider threats become a relevant scenario; a disgruntled employee with valid credentials could sabotage records. The public disclosure status means threat actors are now aware of the attack vector and may probe vulnerable instances.
Affected systems
The vulnerability affects jishenghua jshERP up to and including version 3.6. The vulnerability resides in the addAccountHeadAndDetail endpoint of the AccountHeadService component within the jshERP-boot application. Deployment scope depends on organizational adoption of this ERP solution; it is not a widespread platform, but organizations relying on it for accounting operations are directly at risk.
Exploitability
Exploitation requires valid authentication credentials, which elevates the bar compared to unauthenticated remote code execution. However, the attack complexity is low, meaning the attacker does not need to perform complex tricks or timing attacks. Public disclosure of the vulnerability increases the likelihood that exploitation attempts will occur, though the required authentication prerequisite limits the blast radius to insider threats, credential compromise scenarios, or accounts that have been previously breached. Proof-of-concept details are publicly available, lowering the technical skill needed to mount an attack.
Remediation
Patch jshERP to a version newer than 3.6 that addresses the path traversal flaw. Verify the patch in the vendor's official advisory before deployment. If patching is delayed, implement input validation controls on the fileName parameter at the application level to reject path traversal sequences (../, .., backslashes, etc.). Deploy network-level access controls to limit which users can reach the addAccountHeadAndDetail endpoint. Monitor authentication logs and file system access patterns for suspicious activity.
Patch guidance
Apply the latest stable release of jshERP beyond version 3.6. Consult the official jishenghua repository or vendor security advisories to confirm the patch version and download location. Test the patch in a non-production environment before rollout to accounting-critical systems. The vendor has not yet publicly acknowledged this vulnerability (per the submitted report), so monitor for patch availability announcements. If patches are unavailable within a reasonable timeframe, consider alternative mitigations such as WAF rules or reverse proxy filtering.
Detection guidance
Monitor logs for addAccountHeadAndDetail endpoint requests that contain path traversal patterns in the fileName parameter (e.g., ../, ..\ , %2e%2e, etc.). Review file system audit logs on the jshERP server for unexpected file creation, modification, or access outside normal application directories, especially targeting configuration and data files. Correlate authentication logs with suspicious file system activity to identify potential insider exploitation. Implement intrusion detection signatures that flag path traversal attempts in HTTP parameters to the jshERP application.
Why prioritize this
Although the CVSS score is MEDIUM (5.4) and authentication is required, the public disclosure of the vulnerability and the targeting of financial/accounting data warrant prioritization. Organizations using jshERP should patch or implement compensating controls promptly. The integrity impact on accounting records could lead to compliance violations, audit failures, or financial misstatement. The low attack complexity and network accessibility mean that even a single compromised account or insider threat actor can cause measurable harm.
Risk score, explained
The CVSS 3.1 score of 5.4 reflects the requirement for authentication (which reduces risk) but recognizes the network-accessible attack vector and the integrity and availability impact. The score does not capture the reputational or compliance damage from corrupted accounting data, nor does it fully account for the public disclosure status increasing real-world exploitation probability. Organizations should assess their own risk appetite and the sensitivity of their jshERP deployment to determine whether additional mitigations beyond patching are warranted.
Frequently asked questions
Do I need to patch jshERP immediately if I use version 3.6 or earlier?
Yes, patching is recommended as a high priority. The vulnerability is publicly disclosed and requires only valid authentication to exploit. If patching is delayed, implement input validation and network access controls to reduce exposure. Verify patch availability from the vendor before attempting updates.
Can this vulnerability be exploited remotely without authentication?
No. The vulnerability requires valid login credentials to the jshERP application. This reduces the immediate risk to insider threats, compromised accounts, or organizations where external users have legitimate access. Network segmentation and strong access controls are important defensive layers.
What files are at risk if this vulnerability is exploited?
Any file readable or writable by the jshERP application user account on the server is at risk. Attackers could target accounting data files, configuration files, log files, or other application state files. The integrity of financial records is the primary concern. Backup and recovery capabilities should be tested to prepare for potential tampering.
Has the vendor released a patch yet?
As of the information provided, the vendor has not publicly responded to the disclosure. Monitor official jishenghua repositories, GitHub, or vendor security advisories for patch announcements. If patches are not forthcoming, consider contacting the vendor directly or evaluating alternative ERP solutions.
This analysis is provided for informational purposes to assist security teams in vulnerability assessment and risk management. It is not a substitute for vendor security advisories or independent security testing. Patch versions and availability dates must be verified directly with jishenghua or official sources before deployment. Organizations should conduct their own testing in non-production environments prior to implementing patches or compensating controls. SEC.co makes no warranty regarding the completeness or accuracy of remediation steps and recommends consulting with your security and operations teams before taking action. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2022-50953MEDIUMWordPress admin-word-count-column Plugin Local File Read Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller