CVE-2026-3733
xuxueli xxl-job JobInfoController.java server-side request forgery
CVSS Score
6.3
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The exploit is now public and may be used. The project maintainer closed the issue report with the following statement: "Access token security verification is required." (translated from Chinese)
| CWE | CWE-918 |
| Vendor | xuxueli |
| Product | xxl-job |
| Published | Mar 8, 2026 |
| Last Updated | Mar 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for xuxueli xxl-job
Be the first to know when new medium vulnerabilities affecting xuxueli xxl-job are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
xuxueli / xxl-job
3.3.0 3.3.1 3.3.2
References
vuldb.com: https://vuldb.com/?id.349711 vuldb.com: https://vuldb.com/?ctiid.349711 vuldb.com: https://vuldb.com/?submit.767226 github.com: https://github.com/xuxueli/xxl-job/issues/3924 github.com: https://github.com/xuxueli/xxl-job/issues/3924#issue-3987941359 github.com: https://github.com/xuxueli/xxl-job/
Credits
๐ ZAST.AI (VulDB User)