CVE-2026-1549
📋 TL;DR
This CVE describes a path traversal vulnerability in jishenghua jshERP's PluginController component. Attackers can exploit the /jshERP-boot/plugin/uploadPluginConfigFile endpoint to access arbitrary files on the server. Organizations using jshERP versions up to 3.6 are affected.
💻 Affected Systems
- jishenghua jshERP
📦 What is this software?
Jsherp by Jishenghua
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through sensitive file disclosure (configuration files, credentials, source code) leading to data theft, privilege escalation, or further attacks.
Likely Case
Unauthorized file access exposing configuration data, potentially enabling credential harvesting or system information disclosure.
If Mitigated
Limited impact with proper file permissions and network segmentation, potentially only exposing non-sensitive files.
🎯 Exploit Status
Exploit details are publicly available in GitHub issue #146. Attack requires access to the vulnerable endpoint but appears to be straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Monitor the GitHub repository for updates. Consider applying community fixes if available.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allRestrict access to the /jshERP-boot/plugin/uploadPluginConfigFile endpoint using web application firewall or reverse proxy rules.
# Example nginx location block
location /jshERP-boot/plugin/uploadPluginConfigFile { deny all; }
# Example Apache .htaccess
<FilesMatch "uploadPluginConfigFile">
Order Allow,Deny
Deny from all
</FilesMatch>
Input Validation
allImplement server-side validation to reject path traversal sequences (../, ..\) in the configFile parameter.
# Example Java validation
if (configFile.contains("..") || configFile.contains("%2e%2e")) {
throw new SecurityException("Path traversal attempt detected");
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate jshERP instances from sensitive systems.
- Apply principle of least privilege to file system permissions and restrict jshERP process access.
🔍 How to Verify
Check if Vulnerable:
Test if the /jshERP-boot/plugin/uploadPluginConfigFile endpoint accepts path traversal sequences in the configFile parameter.Check Version:
Check jshERP version in application interface or configuration files.Verify Fix Applied:
Verify that path traversal attempts are rejected and endpoint access is properly restricted.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /jshERP-boot/plugin/uploadPluginConfigFile with ../ sequences in parameters
- File access attempts outside expected directories
Network Indicators:
- Unusual file access patterns from jshERP servers
- Traffic to sensitive file paths
SIEM Query:
source="web_server" AND uri_path="/jshERP-boot/plugin/uploadPluginConfigFile" AND (param="*../*" OR param="*..\\*")🔗 References
- https://github.com/jishenghua/jshERP/
- https://github.com/jishenghua/jshERP/issues/146
- https://github.com/jishenghua/jshERP/issues/146#issue-3817997461
- https://vuldb.com/?ctiid.343245
- https://vuldb.com/?id.343245
- https://vuldb.com/?submit.739805
- https://github.com/jishenghua/jshERP/issues/146
- https://github.com/jishenghua/jshERP/issues/146#issue-3817997461
