CVE-2026-1746

6.3 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in JeecgBoot 3.9.0 allows remote attackers to execute arbitrary SQL commands through the Online Report API's loadDictItemByKeyword endpoint. Attackers can potentially access, modify, or delete database content. Organizations using JeecgBoot 3.9.0 with the vulnerable API endpoint exposed are affected.

💻 Affected Systems

Products:
  • JeecgBoot
Versions: 3.9.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with the Online Report API component enabled and accessible.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential lateral movement to other systems via database connections.

🟠

Likely Case

Data exfiltration from the JeecgBoot database, potentially including sensitive application data and user information.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions, potentially only allowing data reading from specific tables.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects an API endpoint, making internet-facing instances particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but have reduced attack surface compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit is publicly available and requires minimal technical skill to execute against vulnerable systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the keyword parameter to block SQL injection attempts

Implement parameterized queries or prepared statements in the loadDictItemByKeyword endpoint

Web Application Firewall Rules

all

Add WAF rules to block SQL injection patterns targeting the vulnerable endpoint

Add rule: Block requests to /JeecgBoot/sys/api/loadDictItemByKeyword containing SQL keywords like UNION, SELECT, INSERT, UPDATE, DELETE, DROP, OR, AND with suspicious patterns

🧯 If You Can't Patch

  • Block external access to /JeecgBoot/sys/api/loadDictItemByKeyword endpoint using network firewall rules or web server configuration
  • Implement database user permission restrictions to limit the impact of successful SQL injection

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads like: keyword=test' OR '1'='1 and observe if database errors or unexpected data is returned

Check Version:

Check JeecgBoot version in application configuration files or admin interface

Verify Fix Applied:

Test with the same SQL injection payloads and verify they are properly rejected or sanitized without executing SQL commands

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in application logs
  • Unusual database queries from the JeecgBoot application user
  • Multiple failed requests to /JeecgBoot/sys/api/loadDictItemByKeyword with SQL keywords

Network Indicators:

  • HTTP requests to /JeecgBoot/sys/api/loadDictItemByKeyword containing SQL injection patterns
  • Unusual database network traffic patterns from the application server

SIEM Query:

source="web_server_logs" AND uri="/JeecgBoot/sys/api/loadDictItemByKeyword" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*UPDATE*" OR query="*DELETE*" OR query="*DROP*")

📊 Metadata

CVE ID: CVE-2026-1746
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This