CVE-2026-58375

HIGH 7.5

JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including the data returned by the report configured SQL queries and any credentials embedded in its data sources.

CWE	CWE-306
Vendor	jeecgboot
Product	jimureport
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for jeecgboot jimureport

Be the first to know when new high vulnerabilities affecting jeecgboot jimureport are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

jeecgboot / jimureport

0 ≤ 2.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jeecgboot/jimureport/issues/4694 vulncheck.com: https://www.vulncheck.com/advisories/jimureport-unauthenticated-report-export-via-jmreport-auto-export

Credits

George Chen