CVE-2026-10241 MEDIUM

CVE-2026-10241: jeecgboot The server processes these URLs Cloud Instance Metadata Endpoint debug FileDownloadUtils.download2DiskFromNet server-side request forgery

Vendor Jeecgboot
Product The server processes these URLs
Weakness CWE-918 · SSRF
Published June 1, 2026
Last update June 1, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security flaw has been discovered in jeecgboot The server processes these URLs up to 3.9.1. This affects the function FileDownloadUtils.download2DiskFromNet of the file /airag/app/debug of the component Cloud Instance Metadata Endpoint. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.9.2 mitigates this issue. It is suggested to upgrade the affected component.

Key dates

02Disclosure timeline

June 1, 2026 CVE published
June 1, 2026 Record updated