Submit #746789: jeecgboot 3.9.0 Absolute Path Traversalinfo

Titlejeecgboot 3.9.0 Absolute Path Traversal
DescriptionA Restricted Arbitrary File Read vulnerability exists in the Jeecg-boot AI RAG (Retrieval-Augmented Generation) module due to insufficient input validation within the Knowledge Base editing mechanism. Specifically, the endpoint processes user-supplied JSON metadata without properly sanitizing directory traversal sequences (e.g., ../) in the filePath parameter. it fails to canonically validate that the resolved file path resides within the intended upload directory. This oversight allows authenticated attackers to manipulate the file path references, forcing the application to read, parse, and return the content of arbitrary local files residing outside the web root—provided those files match the permitted extensions—thereby leading to unauthorized information disclosure.
Source⚠️ https://www.yuque.com/la12138/vxbwk9/ezodz20a26g36y8m
User
 Saul1213 (UID 94577)
Submission01/26/2026 08:29 (5 months ago)
Moderation02/06/2026 15:30 (11 days later)
StatusAccepted
VulDB entry344687 [JeecgBoot up to 3.9.0 Retrieval-Augmented Generation edit filePath path traversal]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!