CVE-2026-36418
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk37th percentile — higher than 37% of all known CVEs
Summary
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.
Risk Assessment
This vulnerability poses a serious risk to organizations, allowing attackers to execute remote code, potentially leading to system compromise.
Recommendation
It is recommended to upgrade to the latest version of JimuReport to mitigate this vulnerability and implement additional input validation mechanisms.
Original NVD description (English source)
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.

