CVE-2026-3404
MEDIUMjeesite < 5.15.1 - XML External Entity Injection in CasOutHandler Endpoint
Title source: llmDescription
A flaw has been found in thinkgem JeeSite up to 5.15.1. Impacted is an unknown function of the file /com/jeesite/common/shiro/cas/CasOutHandler.java of the component Endpoint. Executing a manipulation can lead to xml external entity reference. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References (4)
Core 4
Core References
Permissions Required, VDB Entry vdb-entry
https://vuldb.com/?id.348299
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.348299
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.763732
Various Sources exploit
https://www.yuque.com/la12138/pa2fpb/ew8x2qss8dv0bsu0?singleDoc
Scores
CVSS v3
5.0
EPSS
0.0035
EPSS Percentile
26.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-610
CWE-611
Status
published
Products (1)
jeesite/jeesite
< 5.15.1
Published
Mar 02, 2026
Tracked Since
Mar 02, 2026