{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2555", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-15T17:40:47.462Z", "datePublished": "2026-02-16T12:02:07.302Z", "dateUpdated": "2026-02-17T15:54:22.780Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-16T12:02:07.302Z"}, "title": "JeecgBoot Retrieval-Augmented Generation AiragKnowledgeController.java importDocumentFromZip deserialization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "Deserialization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "Improper Input Validation"}]}], "affected": [{"vendor": "n/a", "product": "JeecgBoot", "versions": [{"version": "3.9.1", "status": "affected"}], "modules": ["Retrieval-Augmented Generation"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-15T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-15T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-15T18:45:52.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "chuan001 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346163", "name": "VDB-346163 | JeecgBoot Retrieval-Augmented Generation AiragKnowledgeController.java importDocumentFromZip deserialization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346163", "name": "VDB-346163 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.750232", "name": "Submit #750232 | jeecgboot JeecgBoot 3.9.1 Remote Command Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/issues/9335", "tags": ["issue-tracking"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/", "tags": ["product"]}]}, "adp": [{"references": [{"url": "https://github.com/jeecgboot/JeecgBoot/issues/9335", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:54:18.319392Z", "id": "CVE-2026-2555", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:54:22.780Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2555", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:54:18.319392Z"}}}], "references": [{"url": "https://github.com/jeecgboot/JeecgBoot/issues/9335", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:53:55.930Z"}}], "cna": {"title": "JeecgBoot Retrieval-Augmented Generation AiragKnowledgeController.java importDocumentFromZip deserialization", "credits": [{"lang": "en", "type": "reporter", "value": "chuan001 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "affected": [{"vendor": "n/a", "modules": ["Retrieval-Augmented Generation"], "product": "JeecgBoot", "versions": [{"status": "affected", "version": "3.9.1"}]}], "timeline": [{"lang": "en", "time": "2026-02-15T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-15T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-15T18:45:52.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346163", "name": "VDB-346163 | JeecgBoot Retrieval-Augmented Generation AiragKnowledgeController.java importDocumentFromZip deserialization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346163", "name": "VDB-346163 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.750232", "name": "Submit #750232 | jeecgboot JeecgBoot 3.9.1 Remote Command Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/issues/9335", "tags": ["issue-tracking"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "Improper Input Validation"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-16T12:02:07.302Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2555", "state": "PUBLISHED", "dateUpdated": "2026-02-17T15:54:22.780Z", "dateReserved": "2026-02-15T17:40:47.462Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-16T12:02:07.302Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jeecg:jeecg_boot:3.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "9801069C-5C0E-4DE8-8CD4-A9589D1227A8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in JeecgBoot 3.9.1. This vulnerability affects the function importDocumentFromZip of the file org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java of the component Retrieval-Augmented Generation. Executing a manipulation can lead to deserialization. The attack can be launched remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Una debilidad ha sido identificada en JeecgBoot 3.9.1. Esta vulnerabilidad afecta la funci\u00f3n importDocumentFromZip del archivo org/jeecg/modules/airag/llm/controller/AiragKnowledgeController.java del componente Generaci\u00f3n Aumentada por Recuperaci\u00f3n. Ejecutar una manipulaci\u00f3n puede conducir a la deserializaci\u00f3n. El ataque puede ser lanzado remotamente. Ataques de esta naturaleza son altamente complejos. Se afirma que la explotabilidad es dif\u00edcil. El proyecto fue informado del problema tempranamente a trav\u00e9s de un informe de incidencias pero a\u00fan no ha respondido."}], "id": "CVE-2026-2555", "lastModified": "2026-02-18T21:43:53.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-16T12:16:22.667", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/jeecgboot/JeecgBoot/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jeecgboot/JeecgBoot/issues/9335"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.346163"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.346163"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.750232"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jeecgboot/JeecgBoot/issues/9335"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}