CVE-2026-3026 | erzhongxmu JEEWMS 3.7 UEditor getRemoteImage.jsp upfile server-side request forgery

A vulnerability classified as critical has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery.

This vulnerability is documented as CVE-2026-3026. The attack can be initiated remotely. Additionally, an exploit exists.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-3026 | erzhongxmu JEEWMS 3.7 UEditor getRemoteImage.jsp upfile server-side request forgery

Post correlati

CVE-2024-24791 | net-http up to 1.21.11/1.22.4 on Go net/http denial of service

CVE-2024-25355 | s3-url-parser 1.0.3 Regex denial of service

CVE-2025-9225 | Mobile Industrial Robots MiR Robots/MiR Fleet up to 2.x Web Interface cross site scripting

CVE-2026-27199 | Pallets Werkzeug up to 3.1.5 send_from_directory windows device name (GHSA-29vq-49wr-vm6x)