CVE Catalog

CVE-2026-36418

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile — higher than 37% of all known CVEs

Summary

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.

Risk Assessment

This vulnerability poses a serious risk to organizations, allowing attackers to execute remote code, potentially leading to system compromise.

Recommendation

It is recommended to upgrade to the latest version of JimuReport to mitigate this vulnerability and implement additional input validation mechanisms.

Original NVD description (English source)

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS