CVE-2025-66913

Published: Jan 8, 2026Modified: Jan 30, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A different vulnerability than CVE-2025-10770.

Affected (1)

Products: Jeecg: Jimureport

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jeecg Jimureport	Up to 2.1.3

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://gist.github.com/Catherines77/f15d53e9705b24cf018e5bffed3e8234

Source: cve@mitre.org

Third Party Advisory

https://github.com/jeecgboot/jimureport/issues/4306

Source: cve@mitre.org

ExploitIssue TrackingVendor Advisory

Timeline

No history available yet.