CVE-2026-11502 | JeecgBoot up to 3.9.2 Third-Party Login ThirdLoginController.java HttpServletResponse.sendRedirect state redirect (Issue 9639)

A vulnerability marked as problematic has been reported in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect.

This vulnerability is handled as CVE-2026-11502. The attack can be initiated remotely. Additionally, an exploit exists.

The project replied: “After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects.”

CVE-2026-11502 | JeecgBoot up to 3.9.2 Third-Party Login ThirdLoginController.java HttpServletResponse.sendRedirect state redirect (Issue 9639)

Post correlati

CVE-2025-14247 | code-projects Simple Shopping Cart 1.0 /Admin/additems.php item_name sql injection

CVE-2026-1620 | Livemesh Livemesh Addons by Elementor Plugin up to 9.0 on WordPress Template Name lae_get_template_part filename control

CVE-2026-5854 | Totolink A7100RU 7.4cu.2313_b20191024 CGI /cgi-bin/cstecgi.cgi setWiFiEasyCfg merge os command injection

CVE-2024-5343 | robosoft Photo Gallery, Images, Slider in Rbs Image Gallery Plugin rbs_ajax_create_article/rbs_ajax_reset_views cross-site request forgery