CVE-2025-51746
CRITICALjishenghua JSH_ERP < 2.3.1 - Remote Code Execution via Fastjson Deserialization
Title source: llmDescription
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.
References (4)
Core 4
Core References
Broken Link
https://blog.hackpax.top/jsh-erp5/
Third Party Advisory
https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9
Product
https://gitee.com/jishenghua
Scores
CVSS v3
9.8
EPSS
0.0039
EPSS Percentile
30.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (1)
jishenghua/jsherp
< 2.3.1
Published
Nov 25, 2025
Tracked Since
Feb 18, 2026