thinkgem/jeesite

GitHub

github.com

jeesite.com

Releases109

Frequency1 month 2 weeks

Last Release about 2 months ago

Stars8.04K

👍Java 低代码, 轻量级, Spring Boot, MyBatis, Flowable, TypeScript, Vue, Antdv, 包括核心模块如：组织机构、角色用户、权限授权、数据权限、内容管理、工作流、Spring Cloud 微服务等。

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-36761 ↗	Apr 30, 2026Thursday, 30 April 2026, 18:16	6.1 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter.
CVE-2026-36762 ↗	Apr 30, 2026Thursday, 30 April 2026, 18:16	8.8 HIGH	—
An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations.
CVE-2026-36760 ↗	Apr 30, 2026Thursday, 30 April 2026, 17:16	9.6 CRITICAL	—
An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled.
CVE-2023-38991 ↗	Aug 4, 2023Friday, 4 August 2023, 00:15	5.4 MEDIUM	—
An issue in the delete function in the ActModelController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete models created by the Administrator.
CVE-2023-38990 ↗	Aug 2, 2023Wednesday, 2 August 2023, 00:15	4.3 MEDIUM	—
An issue in the delete function in the MenuController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete menus created by the Administrator.
CVE-2023-38989 ↗	Jul 31, 2023Monday, 31 July 2023, 18:15	4.3 MEDIUM	—
An issue in the delete function in the UserController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete the Administrator's role information.
CVE-2023-38988 ↗	Jul 28, 2023Friday, 28 July 2023, 21:15	4.3 MEDIUM	—
An issue in the delete function in the OaNotifyController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete notifications created by Administrators.
CVE-2023-34601 ↗	Jun 22, 2023Thursday, 22 June 2023, 11:15	9.8 CRITICAL	—
Jeesite before commit 10742d3 was discovered to contain a SQL injection vulnerability via the component ${businessTable} at /act/ActDao.xml.
CVE-2020-19229 ↗	Apr 5, 2022Tuesday, 5 April 2022, 16:15	9.8 CRITICAL	7.5 HIGH
Jeesite 1.2.7 uses the apache shiro version 1.2.3 affected by CVE-2016-4437. Because of this version of the java deserialization vulnerability, an attacker could exploit the vulnerability to execute arbitrary commands via the rememberMe parameter.
CVE-2019-1010201 ↗	Jul 23, 2019Tuesday, 23 July 2019, 18:15	—	4 MEDIUM
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later.
CVE-2019-1010202 ↗	Jul 23, 2019Tuesday, 23 July 2019, 14:15	—	4 MEDIUM
Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later.