CVE-2026-7290

Name of the Vulnerable Software and Affected Versions JeecgBoot versions prior to 3.9.1

Description A remote SQL injection is possible via the 'loadDict' endpoint. The issue exists within the SqlInjectionUtil() function located in the file jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java, where improper manipulation of the keyword argument allows for the attack.

Recommendations Deploy patch a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b. As a temporary workaround, restrict access to the 'loadDict' endpoint to minimize the risk of exploitation.