Skip to content

Instantly share code, notes, and snippets.

View Catherines77's full-sized avatar

kiiy Catherines77

10 followers · 1 following
View GitHub Profile
@Catherines77
Catherines77 / CVE-2026-36418
Last active June 16, 2026 09:05
CVE-2026-36418
[CVE ID]
CVE-2026-36418
[PRODUCT]
https://github.com/jeecgboot/jimureport
[VERSION]
≤V2.3.4
[PROBLEM TYPE]
Remote Code Execution (RCE)
[DESCRIPTION]
JimuReport versions 2.3.4 and below at `/jmreport/executeSelectApi` API do not effectively restrict user input, directly delegating it to the `execute` method of the aviator expression, which leads to aviator expression injection.
@Catherines77
Catherines77 / CVE-2025-66913.txt
Last active January 8, 2026 03:00
CVE-2025-66913
[CVE ID]
CVE-2025-66913
[PRODUCT]
https://github.com/jeecgboot/jimureport
[VERSION]
V2.1.3
[PROBLEM TYPE]
Remote Code Execution (RCE)
[DESCRIPTION]
The `/jmreport/testConnection` interface accepts a user-controlled JDBC URL and passes it directly to the H2database driver. A crafted JDBC URL containing `INIT` or `CREATE ALIAS` directives can cause arbitrary Java code execution.
@Catherines77
Catherines77 / CVE-2025-25426.txt
Created February 28, 2025 14:20
CVE-2025-25426
[CVE ID]
CVE-2025-25426
[PRODUCT]
https://github.com/guchengwuyue/yshopmall
[VERSION]
V1.9
[PROBLEM TYPE]
SQL Injection
[DESCRIPTION]
There is a SQL injection vulnerability in the backend of the yshopmall shopping mall system.
@Catherines77
Catherines77 / CVE-2024-57498.txt
Created February 2, 2025 10:14
CVE-2024-57498
[CVE ID]
CVE-2024-57498
[PRODUCT]
https://github.com/saysky/ForestBlog
[VERSION]
lastest
[PROBLEM TYPE]
Stored XSS
[DESCRIPTION]
Stored XSS exists in the administrator backend /admin/article/editSubmit interface