Submit #808185: https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injectioninfo

Titlehttps://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection
DescriptionJeecgBoot versions up to and including 3.9.1 contain a SQL injection vulnerability in the /sys/dict/loadDict/{dictCode} API endpoint. The keyword parameter supports an [orderby:field,direction] annotation to specify result ordering. The ORDER BY field value is extracted and concatenated directly into a SQL ORDER BY clause with no parameterization. Although a partial blacklist (specialDictSqlXssStr) is applied to the ORDER BY value, it fails to block MySQL CASE WHEN expressions, LIKE comparisons, and subquery-based boolean conditions. An authenticated attacker can inject a CASE WHEN <condition> THEN id ELSE dict_name END expression into the ORDER BY clause and infer the truth value of arbitrary SQL conditions by observing the change in result ordering — a classic boolean-based blind injection. The vulnerability was verified to successfully extract the database name (jeecg-boot) and MySQL version (8.0.19) character-by-character using LIKE prefix enumeration.
Source⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9570
User
 JD Security SHENYI Team (UID 97436)
Submission04/20/2026 14:15 (3 months ago)
Moderation05/07/2026 18:34 (17 days later)
StatusDuplicate
VulDB entry359948 [JeecgBoot up to 3.9.1 loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil keyword sql injection]
Points0

Want to know what is going to be exploited?

We predict KEV entries!