CVE-2026-7305 | Xuxueli xxl-job up to 3.3.2 trigger Endpoint XxlJobServiceImpl.java triggerJob addressList server-side request forgery (Issue 3935)

A vulnerability was found in Xuxueli xxl-job up to 3.3.2. It has been classified as critical. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery.

The identification of this vulnerability is CVE-2026-7305. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

There is ongoing doubt regarding the real existence of this vulnerability.

The project maintainer explains (translated from Chinese): “Triggers are manually activated and involve login and access control, thus requiring management.” The pull request by the researcher got rejected because of that.

CVE-2026-7305 | Xuxueli xxl-job up to 3.3.2 trigger Endpoint XxlJobServiceImpl.java triggerJob addressList server-side request forgery (Issue 3935)

Post correlati

CVE-2023-42504 | Apache Superset up to 2.x Concurrent Request allocation of resources

CVE-2024-32258 | fceux 2.7.0 Network Server path traversal

CVE-2024-56015 | John Godley Tidy Up Plugin up to 1.3 on WordPress cross-site request forgery

CVE-2025-11066 | code-projects Online Bidding System 1.0 bidlist.php ID sql injection