Login Sign Up

CVE-2026-3026

7.3 HIGH
SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the UEditor component of erzhongxmu JEEWMS 3.7. Attackers can exploit the /plug-in/ueditor/jsp/getRemoteImage.jsp file by manipulating the 'upfile' parameter to make the server send unauthorized requests to internal or external systems. Organizations using JEEWMS 3.7 with the vulnerable UEditor component are affected.

💻 Affected Systems

Products:
  • erzhongxmu JEEWMS
Versions: 3.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with the UEditor component enabled and accessible.

📦 What is this software?

Jeewms by Jeewms

View all CVEs affecting Jeewms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could pivot to internal systems, access cloud metadata services, perform port scanning, or interact with internal APIs to steal sensitive data or achieve remote code execution.

🟠

Likely Case

Attackers will scan internal networks, access internal web applications, or interact with cloud metadata services to obtain credentials and escalate access.

🟢

If Mitigated

With proper network segmentation and egress filtering, impact is limited to the vulnerable server itself with minimal data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit has been publicly disclosed and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider removing or disabling the UEditor component entirely.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

all

Configure web server or WAF to block requests to /plug-in/ueditor/jsp/getRemoteImage.jsp

# Apache: RewriteRule ^/plug-in/ueditor/jsp/getRemoteImage\.jsp$ - [F]
# Nginx: location ~ ^/plug-in/ueditor/jsp/getRemoteImage\.jsp$ { return 403; }

Disable UEditor component

linux

Remove or disable the UEditor plugin from JEEWMS installation

rm -rf /path/to/jeewms/plug-in/ueditor/
# Or rename directory: mv /path/to/jeewms/plug-in/ueditor/ /path/to/jeewms/plug-in/ueditor_disabled/

🧯 If You Can't Patch

  • Implement strict network egress filtering to prevent the server from making requests to internal systems
  • Deploy a WAF with SSRF protection rules in front of the application

🔍 How to Verify

Check if Vulnerable:

Test if /plug-in/ueditor/jsp/getRemoteImage.jsp is accessible and accepts the 'upfile' parameter

Check Version:

Check JEEWMS version in admin panel or application files

Verify Fix Applied:

Verify the endpoint returns 403/404 or the UEditor directory no longer exists

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /plug-in/ueditor/jsp/getRemoteImage.jsp with 'upfile' parameter containing unusual URLs
  • Outbound requests from server to internal IP ranges or metadata services

Network Indicators:

  • Unusual outbound HTTP requests from the JEEWMS server to internal systems

SIEM Query:

source="web_server" AND uri="/plug-in/ueditor/jsp/getRemoteImage.jsp" AND query="*upfile=*"

📊 Metadata

CVE ID: CVE-2026-3026
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-918
Published: February 23, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3026, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)