CVE-2025-15126

Name of the Vulnerable Software and Affected Versions JeecgBoot versions up to 3.9.0

Description A weakness exists in JeecgBoot related to improper authorization. The issue is triggered by manipulating the positionId argument within the getPositionUserList function located in the /sys/position/getPositionUserList file. This manipulation can lead to unauthorized access. The attack can be initiated remotely, but is considered complex and difficult to exploit. The exploit has been publicly released. The vendor was notified but did not respond.

Recommendations Versions prior to 3.9.0 are affected. Update JeecgBoot to a version newer than 3.9.0. As a temporary workaround, restrict access to the /sys/position/getPositionUserList file.