{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-43028", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T19:30:02.963Z", "dateReserved": "2024-08-05T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T16:03:27.041Z"}, "descriptions": [{"lang": "en", "value": "A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://pan.baidu.com/s/1h2RGEvxuvsKtsn2-TlFlmA?pwd=gf5r"}, {"url": "https://gist.github.com/aqyoung/e3b7ba5d8b8261df7d09931dbe779b3b"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:27:46.494836Z", "id": "CVE-2024-43028", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:30:02.963Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-43028", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T19:27:46.494836Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:28:13.303Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://pan.baidu.com/s/1h2RGEvxuvsKtsn2-TlFlmA?pwd=gf5r"}, {"url": "https://gist.github.com/aqyoung/e3b7ba5d8b8261df7d09931dbe779b3b"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T16:03:27.041Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43028", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:30:02.963Z", "dateReserved": "2024-08-05T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-01T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jeecg:jeecg_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EAE49E3-CDA2-49D8-B812-910C2FCA0C21", "versionEndIncluding": "3.5.3", "versionStartIncluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request."}], "id": "CVE-2024-43028", "lastModified": "2026-04-06T15:34:18.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T17:16:57.220", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/aqyoung/e3b7ba5d8b8261df7d09931dbe779b3b"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://pan.baidu.com/s/1h2RGEvxuvsKtsn2-TlFlmA?pwd=gf5r"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.5.3]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 80.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "jeecgboot", "vendor": "jeecg"}], "analysis": {"en": {"generated_at": "2026-04-06T19:28:36.104716+00:00", "value": {"mitigation_remediation": ["Apply the latest Jeecg Boot patch or upgrade beyond version 3.5.3 if available. If no patch is released, restrict network access to the /jmreport/show endpoint to trusted users or move it behind an internal firewall. Deploy or enable a web application firewall to validate or block suspicious input patterns targeting the endpoint. Monitor application logs for anomalous command execution attempts on the /jmreport/show route. Ensure that the underlying operating system limits shell access and that environment variables are not exposed through the API."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in Jeecg Boot versions 3.0.0 through 3.5.3, including the open\u2011source distribution. Any instance of Jeecg Boot running within that version range that exposes the /jmreport/show URI to the internet or an untrusted network is susceptible to exploitation.", "description_and_impact": "A command injection flaw in Jeecg Boot's /jmreport/show endpoint allows attackers to execute arbitrary code on the server. The weakness, classified as CWE\u201177, means that specially crafted HTTP requests can insert shell commands into the server\u2019s execution context, enabling full control over the affected host. This elevates the threat to complete compromise of confidentiality, integrity, and availability of the compromised system.", "risk_and_exploitability": "With a CVSS score of 9.8 the risk is critical. The EPSS score below 1% suggests currently low measured exploitation probability, but the lack of a current KEV listing does not reduce the impact. Attackers would need to send a crafted HTTP request to /jmreport/show to trigger the injection; no user interaction beyond reaching the endpoint is required. Given the remote nature of the vector, any exposed or unattended deployment is at high risk."}}}}, "created": "2026-04-02T07:51:33.179293+00:00", "updated": "2026-04-07T08:07:50.020667+00:00", "vendors": ["jeecg", "jeecg$PRODUCT$jeecgboot"]}