CVE-2026-7305

Name of the Vulnerable Software and Affected Versions Xuxueli xxl-job versions prior to 3.3.3

Description A server-side request forgery (SSRF) exists in the 'trigger' endpoint. The issue resides in the triggerJob() function within the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java, where improper manipulation of the addressList argument allows a remote attacker to initiate unauthorized requests. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unexpected destination.

Recommendations Update to a version later than 3.3.2. As a temporary workaround, restrict access to the 'trigger' endpoint and ensure strict access control for the triggerJob() function.