CVE-2025-12305
MEDIUMshiyi-blog < 1.2.1 - Remote Code Execution via Deserialization in Job Handler
Title source: llmDescription
A vulnerability was found in quequnlong shiyi-blog up to 1.2.1. This impacts an unknown function of the file src/main/java/com/mojian/controller/SysJobController.java of the component Job Handler. The manipulation results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
https://vuldb.com/?id.329977
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.329977
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.676725
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.676730
Exploit, Third Party Advisory exploit
https://github.com/dongodid/cve-sub/blob/main/shiyi-blog/RCE.md
Scores
CVSS v3
6.3
EPSS
0.0041
EPSS Percentile
32.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
CWE-502
Status
published
Products (1)
quequnlong/shiyi-blog
< 1.2.1
Published
Oct 27, 2025
Tracked Since
Feb 18, 2026