A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
CVE-2026-7305 is a Server-Side Request Forgery (SSRF) vulnerability in Xuxueli xxl-job versions up to 3.3.2 affecting the triggerJob function through the addressList parameter. The vulnerability requires authentication and manual trigger activation, limiting its practical exploitability in real-world scenarios.
تم تحديد ثغرة Server-Side Request Forgery (SSRF) في Xuxueli xxl-job حتى الإصدار 3.3.2 في وظيفة triggerJob بملف XxlJobServiceImpl.java. تسمح الثغرة بمعالجة معامل addressList بطريقة تمكن المهاجمين المصرحين من إجراء طلبات غير مصرح بها إلى الأنظمة الداخلية. يتطلب الاستغلال المصادقة والوصول الإداري، مما يقلل من خطورتها العملية.
This SSRF vulnerability in xxl-job's trigger endpoint could allow authenticated attackers to make unauthorized requests to internal systems. The vulnerability's impact is mitigated by authentication requirements and access controls implemented by the maintainers.
Update Xuxueli xxl-job to version 3.3.3 or later. Implement network segmentation to restrict outbound connections from job scheduler servers. Apply strict input validation on the addressList parameter. Monitor and log all trigger activities. Restrict access to the trigger endpoint to authorized administrators only.
قم بتحديث Xuxueli xxl-job إلى الإصدار 3.3.3 أو أحدث. طبق تقسيم الشبكة لتقييد الاتصالات الصادرة من خوادم جدولة المهام. طبق التحقق الصارم من صحة المدخلات على معامل addressList. راقب وسجل جميع أنشطة التشغيل. قيد الوصول إلى نقطة نهاية التشغيل للمسؤولين المصرحين فقط.