GHSA-mfm8-63gh-gpv6CriticalCVSS 9.1

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper...

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.

🔗 References (3)