📄 Description (English)
A vulnerability was determined in JeecgBoot up to 3.9.2. The affected element is the function WordUtil.addImage of the file /airag/word/edit. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. A fix is planned for the upcoming release.
🤖 AI Executive Summary
JeecgBoot versions up to 3.9.2 contain a Server-Side Request Forgery (SSRF) vulnerability in the WordUtil.addImage function that allows remote attackers to manipulate server requests. The vulnerability has been publicly disclosed with no patch currently available, requiring immediate compensating controls. Organizations using JeecgBoot for document processing should prioritize mitigation while awaiting the planned fix.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 1, 2026 12:37
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi government agencies, financial institutions, and healthcare organizations that utilize JeecgBoot for document management and word processing workflows. Government entities under NCA oversight and SAMA-regulated financial institutions are at elevated risk if JeecgBoot is integrated into their document processing pipelines. The SSRF vulnerability could enable attackers to access internal resources, bypass network segmentation, or pivot to critical infrastructure systems. Healthcare providers using JeecgBoot for medical record management face potential data exfiltration risks.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Healthcare
Energy and Utilities
Telecommunications
Education
Legal Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all JeecgBoot deployments across your organization and identify instances running versions up to 3.9.2
2. Disable or restrict access to the /airag/word/edit endpoint until patching is available
3. Implement network segmentation to limit outbound connections from JeecgBoot servers
4. Monitor for suspicious outbound requests from JeecgBoot application servers
Compensating Controls:
1. Deploy Web Application Firewall (WAF) rules to block requests to /airag/word/edit containing image manipulation parameters
2. Implement strict egress filtering on the JeecgBoot server to allow only necessary outbound connections
3. Use proxy/firewall rules to prevent access to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from JeecgBoot processes
4. Restrict file upload functionality to local filesystem only, disabling remote URL processing
Detection Rules:
1. Monitor for HTTP requests to /airag/word/edit with image URL parameters pointing to internal IPs or localhost
2. Alert on outbound connections from JeecgBoot servers to non-whitelisted external hosts
3. Log and review all WordUtil.addImage function calls with external URL sources
4. Implement IDS/IPS signatures detecting SSRF patterns in application logs
Patching Strategy:
1. Subscribe to JeecgBoot security advisories for the planned fix release
2. Prepare test environment for immediate patching upon release
3. Plan upgrade to version 3.9.3 or later as soon as available
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نشرات JeecgBoot عبر مؤسستك وحدد الحالات التي تعمل بالإصدارات حتى 3.9.2
2. قم بتعطيل أو تقييد الوصول إلى نقطة النهاية /airag/word/edit حتى يتم توفر التصحيح
3. قم بتطبيق تقسيم الشبكة لتحديد الاتصالات الصادرة من خوادم JeecgBoot
4. راقب الطلبات الصادرة المريبة من خوادم تطبيق JeecgBoot
الضوابط التعويضية:
1. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات إلى /airag/word/edit التي تحتوي على معاملات معالجة الصور
2. تطبيق تصفية صارمة للخروج على خادم JeecgBoot للسماح فقط بالاتصالات الصادرة الضرورية
3. استخدام قواعد الوكيل/جدار الحماية لمنع الوصول إلى نطاقات IP الداخلية من عمليات JeecgBoot
4. تقييد وظيفة تحميل الملفات إلى نظام الملفات المحلي فقط، مع تعطيل معالجة عناوين URL البعيدة
قواعد الكشف:
1. مراقبة طلبات HTTP إلى /airag/word/edit مع معاملات عنوان URL للصور التي تشير إلى عناوين IP داخلية أو localhost
2. تنبيهات الاتصالات الصادرة من خوادم JeecgBoot إلى المضيفين الخارجيين غير المدرجين في القائمة البيضاء
3. تسجيل ومراجعة جميع استدعاءات دالة WordUtil.addImage مع مصادر عناوين URL الخارجية
4. تطبيق توقيعات IDS/IPS للكشف عن أنماط SSRF في سجلات التطبيق
استراتيجية التصحيح:
1. الاشتراك في تنبيهات أمان JeecgBoot للإصدار المخطط
2. تحضير بيئة الاختبار للتصحيح الفوري عند الإصدار
3. التخطيط للترقية إلى الإصدار 3.9.3 أو أحدث في أقرب وقت ممكن
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies (vulnerability management)
A.8.1.1 - User Endpoint Devices (application security controls)
A.8.2.1 - Privileged Access Rights (restrict SSRF exploitation)
A.8.3.1 - Restriction of Access to Information (network segmentation)
A.12.2.1 - Restrictions on Software Installation (application inventory)
A.12.6.1 - Management of Technical Vulnerabilities (patch management)
🔵 SAMA CSF
ID.RA-1 - Asset Management (identify JeecgBoot deployments)
ID.RA-2 - Business Environment (assess SSRF impact on operations)
PR.AC-3 - Access Control (network segmentation, egress filtering)
PR.DS-6 - Data Protection (prevent data exfiltration via SSRF)
DE.CM-1 - Detection Processes (monitor for SSRF exploitation)
RS.RP-1 - Response Planning (incident response for SSRF attacks)
🟡 ISO 27001:2022
A.5.1 - Policies for Information Security (vulnerability management policy)
A.8.1 - User Endpoint Device Protection (application security)
A.8.2 - Privileged Access Rights (principle of least privilege)
A.8.3 - Restriction of Access to Information (network controls)
A.12.2 - Software Installation (application inventory and control)
A.12.6 - Management of Technical Vulnerabilities (patch management)
A.13.1 - Network Security (egress filtering, segmentation)
🟣 PCI DSS v4.0.1
Requirement 2.2.4 - Configure system security parameters (disable unnecessary services)
Requirement 6.2 - Ensure security patches are installed (patch management)
Requirement 6.5.10 - Broken Authentication (SSRF can bypass authentication)
Requirement 11.2 - Run automated vulnerability scans (detect SSRF exploitation)
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/jeecgboot/JeecgBoot/
cna@vuldb.com
https://github.com/jeecgboot/JeecgBoot/issues/9610
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-10239
cna@vuldb.com
https://vuldb.com/submit/823266
cna@vuldb.com
https://vuldb.com/vuln/367517
cna@vuldb.com
https://vuldb.com/vuln/367517/cti
cna@vuldb.com