{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-5999","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2026-04-09T13:03:06.047Z","datePublished":"2026-04-10T01:45:14.036Z","dateUpdated":"2026-04-10T17:05:03.875Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2026-04-10T01:45:14.036Z"},"title":"JeecgBoot SysAnnouncementController improper authorization","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-285","lang":"en","description":"Improper Authorization"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-266","lang":"en","description":"Incorrect Privilege Assignment"}]}],"affected":[{"vendor":"n/a","product":"JeecgBoot","versions":[{"version":"3.9.0","status":"affected"},{"version":"3.9.1","status":"affected"}],"modules":["SysAnnouncementController"]}],"descriptions":[{"lang":"en","value":"A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirmed the issue and will provide a fix in the upcoming release."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C"}}],"timeline":[{"time":"2026-04-09T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2026-04-09T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2026-04-09T15:08:11.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"XinX (VulDB User)","type":"reporter"},{"lang":"en","value":"VulDB CNA Team","type":"coordinator"}],"references":[{"url":"https://vuldb.com/vuln/356553","name":"VDB-356553 | JeecgBoot SysAnnouncementController improper authorization","tags":["vdb-entry"]},{"url":"https://vuldb.com/vuln/356553/cti","name":"VDB-356553 | CTI Indicators (IOB, IOC, TTP)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/submit/793656","name":"Submit #793656 | jeecgboot web 3.9.1 Improper Access Controls","tags":["third-party-advisory"]},{"url":"https://github.com/jeecgboot/JeecgBoot/issues/9508","tags":["exploit","issue-tracking"]},{"url":"https://github.com/jeecgboot/JeecgBoot/issues/9508#issuecomment-4199090102","tags":["issue-tracking"]},{"url":"https://github.com/jeecgboot/JeecgBoot/","tags":["product"]}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-10T17:04:52.678246Z","id":"CVE-2026-5999","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-10T17:05:03.875Z"}}]}}