jishenghua jshERP PluginController uploadPluginConfigFile path traversal_CVE-2026-1549

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Basic Information

ID CVE-2026-1549

Source VulDB

Published Jan 28, 2026 at 23:02

Affected Product

Vendor jishenghua

Product jshERP

Version 3.0

Affected Versions jishenghua jshERP 3.0
jishenghua jshERP 3.1
jishenghua jshERP 3.2
jishenghua jshERP 3.3
jishenghua jshERP 3.4
jishenghua jshERP 3.5
jishenghua jshERP 3.6

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.",
    "published": "2026-01-28T23:02:07.452Z",
    "modified": "2026-01-28T23:02:07.452Z",
    "type": "cve",
    "title": "jishenghua jshERP PluginController uploadPluginConfigFile path traversal",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.343245\nhttps://vuldb.com/?ctiid.343245\nhttps://vuldb.com/?submit.739805\nhttps://github.com/jishenghua/jshERP/issues/146\nhttps://github.com/jishenghua/jshERP/issues/146#issue-3817997461\nhttps://github.com/jishenghua/jshERP/",
    "id": "CVE-2026-1549",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "jishenghua jshERP 3.0\njishenghua jshERP 3.1\njishenghua jshERP 3.2\njishenghua jshERP 3.3\njishenghua jshERP 3.4\njishenghua jshERP 3.5\njishenghua jshERP 3.6",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "jshERP",
    "version": "3.0",
    "vendor": "jishenghua",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}