📦 Jsherp

CVE-2025-51745 is a critical deserialization vulnerability in jishenghua JSH_ERP 2.3.1 that allows remote code execution via the /role/addcan endpoint. Attackers can exploit this to execute arbitrary ...

CVE-2025-51746 is a critical deserialization vulnerability in jishenghua JSH_ERP 2.3.1 that allows remote code execution via the /serialNumber/addSerialNumber endpoint. Attackers can exploit fastjson ...

This vulnerability allows remote attackers to execute arbitrary code on JSH_ERP systems through fastjson deserialization attacks targeting the /materialCategory/addMaterialCategory endpoint. Attackers...

This vulnerability allows remote attackers to execute arbitrary code on JSH_ERP systems by exploiting a Fastjson deserialization flaw. Attackers can send specially crafted requests to the vulnerable e...

jshERP v3.3 contains a SQL injection vulnerability in the findallocationDetail() function that allows attackers to bypass the application's protection mechanisms. This enables unauthorized database ac...

CVE-2024-24004 is a critical SQL injection vulnerability in jshERP v3.3 that allows attackers to bypass the application's SQL protection mechanism. Attackers can exploit this by injecting malicious pa...

jshERP up to commit fbda24da contains an unauthenticated remote code execution vulnerability in the jsh_erp function. Attackers can execute arbitrary code on affected systems without authentication. T...

This vulnerability in jshERP v3.5 allows unauthorized attackers to modify supplier statuses under any account due to incorrect access control in RoleController.java. It affects all users of the vulner...

This CVE describes a path traversal vulnerability in jishenghua jshERP's PluginController component. Attackers can exploit the /jshERP-boot/plugin/uploadPluginConfigFile endpoint to access arbitrary f...

This SQL injection vulnerability in jishenghua jshERP allows remote attackers to execute arbitrary SQL commands through the barCodes parameter in the getBillItemByParam function. Organizations using j...

jshERP versions 3.5 and earlier contain a stored cross-site scripting (XSS) vulnerability that allows attackers to upload malicious PDF files containing XSS payloads. These files are accessible via st...

jshERP v3.5 and earlier contains a stored XSS vulnerability in the /msg/add endpoint that allows attackers to inject malicious scripts. When exploited, these scripts execute in victims' browsers, pote...

This vulnerability in jshERP v3.5 allows unauthorized attackers to access sensitive handler information through the getAllList method in PersonController.java due to improper access control. Any organ...

This vulnerability in jshERP v3.5 allows attackers to bypass access controls in the UserController component, enabling unauthorized password resets for any user account. This leads to horizontal privi...

This vulnerability allows unauthorized attackers to modify supplier status information in jshERP v3.5 without proper authentication. It affects all users of jshERP v3.5 who haven't applied the patch. ...

CVE-2025-7947 is an improper authorization vulnerability in jshERP's account deletion function that allows attackers to delete user accounts without proper permissions. This affects jshERP installatio...

This critical vulnerability in jshERP allows remote attackers to perform path traversal attacks via the Title parameter in the exportExcelByParam function. Attackers can potentially read or write file...

This CVE describes a path traversal vulnerability in jshERP up to version 3.6 that allows remote attackers to manipulate file paths during plugin installation. The vulnerability affects organizations ...