CVE-2026-6009

HIGH

Jaspersoft Library Deserialisation Vulnerability

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-6009. PoCs published by Pumila03.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-6009, a Java deserialization vulnerability in JasperReport <= 7.0.3. The exploit uses ysoserial to generate malicious .jasper payloads and includes both a detection mechanism and a reverse shell capability.

Description

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system

Exploits (1)

github WORKING POC

by Pumila03 · pythonpoc

https://github.com/Pumila03/CVE-2026-6009

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-6009, a Java deserialization vulnerability in JasperReport <= 7.0.3. The exploit uses ysoserial to generate malicious .jasper payloads and includes both a detection mechanism and a reverse shell capability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: JasperReport <= 7.0.3

No auth needed

Prerequisites: Java runtime · ysoserial.jar · network connectivity to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 23, 2026 Full analysis →

References (1)

Core 1

Core References

https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-may-19-2026-jaspersoft-library-cve-2026-6009-r11/

Scores

CVSS v4 8.7

EPSS 0.0044

EPSS Percentile 63.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (8)

Jaspersoft/JasperReports IO At-Scale < 10.0.0

Jaspersoft/JasperReports IO Professional < 10.0.0

Jaspersoft/JasperReports Library Community Edition < 7.0.6

Jaspersoft/JasperReports Library Professional < 10.0.0

Jaspersoft/JasperReports Server < 10.0.0

Jaspersoft/JasperReports Web Studio < 10.0.1

Jaspersoft/Jaspersoft Studio Community Edition < 7.0.6

Jaspersoft/Jaspersoft Studio Professional < 10.0.0

Published May 19, 2026

Tracked Since May 19, 2026