CVE-2026-11467 | jishenghua jshERP up to 3.6 addAccountHeadAndDetail Endpoint AccountHeadService.java fileName path traversal (Issue 154)

A vulnerability was found in jishenghua jshERP up to 3.6 and classified as critical. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such manipulation of the argument fileName leads to path traversal.

This vulnerability is documented as CVE-2026-11467. The attack can be executed remotely. Additionally, an exploit exists.

The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-11467 | jishenghua jshERP up to 3.6 addAccountHeadAndDetail Endpoint AccountHeadService.java fileName path traversal (Issue 154)

Post correlati

CVE-2024-31477 | Aruba InstantOS/ArubaOS Command Line Interface command injection (ARUBA-PSA-2024-006)

CVE-2025-9019 | tcpreplay 4.5.1 tcpprep cidr.c mask_cidr6 heap-based overflow (Issue 958)

CVE-2024-6439 | SourceCodester Home Owners Collection Management System 1.0 Users.php img unrestricted upload

CVE-2024-27784 | Fortinet FortiAIOps 2.0.0 API Endpoint log file (FG-IR-24-072)