A critical command injection flaw tracked as CVE-2024-43028 was disclosed for Jeecg Boot versions 3.0.0 through 3.5.3, affecting the /jmreport/show component. The vulnerability is classified as CWE-77 and can let unauthenticated remote attackers execute arbitrary code through a crafted HTTP request. Its CVSS v3.1 vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicates full compromise potential across confidentiality, integrity, and availability.
A separate high-severity issue, CVE-2026-42524, was reported in the Jenkins HTML Publisher Plugin version 427 and earlier. The bug is a stored XSS vulnerability (CWE-79) caused by improper escaping of job names and URLs in the plugin’s legacy wrapper file, and it can be exploited by attackers with Item/Configure permission. The flaw carries a CVSS v3.1 vector of AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, and Jenkins has published a related security advisory for affected users.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
The CVE-2026-42524 record was assigned CWE-79 and a CVSS v3.1 vector of AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. A related Jenkins security advisory was also published.
A stored cross-site scripting flaw affecting Jenkins HTML Publisher Plugin version 427 and earlier was received as CVE-2026-42524. The issue stems from improper escaping of the job name and URL in the plugin's legacy wrapper file and is exploitable by users with Item/Configure permission.
The CVE-2024-43028 entry was updated to add a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and classify the issue as CWE-77 command injection. The update also listed external references hosted on GitHub Gist and Baidu Pan.
A command injection vulnerability affecting Jeecg Boot versions 3.0.0 through 3.5.3 was received by MITRE. The flaw in the /jmreport/show component can allow arbitrary code execution via a crafted HTTP request.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.