Primary

Context

JimuReport Remote Code Execution Vulnerability via H2 JDBC URLs

Vulnerability

A remote code execution vulnerability exists in JimuReport versions through 2.1.3. The issue arises because the application does not validate user-controlled H2 JDBC URLs before passing them to the H2 driver. This oversight allows attackers to inject JDBC URLs with specific directives that can execute arbitrary Java code. Exploitation can be achieved by using the 'INIT' or 'CREATE ALIAS' directives to run malicious Java code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where JimuReport is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/jmreport/testConnection' endpoint with a crafted H2 JDBC URL that includes 'INIT' or 'CREATE ALIAS' directives. The H2 database driver will execute the injected Java code, leading to remote code execution.

Remediation

Users are advised to update to the latest version of JimuReport, as this vulnerability has been fixed in a version that is pending release.

Added: Jan 8, 2026, 8:20 PM

Updated: Jan 8, 2026, 8:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.8

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.8

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JimuReport Remote Code Execution Vulnerability via H2 JDBC URLs

Vulnerability

Impact

Reproduction

Remediation

Affected Products

jeecgboot jimureport

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating