Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-7303

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-28 Apr, 2026 | 19:00
Updated At-29 Apr, 2026 | 13:11
Rejected At-
Credits

Xuxueli xxl-job Execution Log JobLogController.java logDetailCat resource injection

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:28 Apr, 2026 | 19:00
Updated At:29 Apr, 2026 | 13:11
Rejected At:
â–¼CVE Numbering Authority (CNA)
Xuxueli xxl-job Execution Log JobLogController.java logDetailCat resource injection

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Affected Products
Vendor
Xuxueli
Product
xxl-job
CPEs
  • cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*
Modules
  • Execution Log Handler
Versions
Affected
  • 3.3.0
  • 3.3.1
  • 3.3.2
Unaffected
  • 3.4.0
Problem Types
TypeCWE IDDescription
CWECWE-99Improper Control of Resource Identifiers
Type: CWE
CWE ID: CWE-99
Description: Improper Control of Resource Identifiers
Metrics
VersionBase scoreBase severityVector
4.06.3MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
3.03.7LOW
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
2.02.6N/A
AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
Version: 3.0
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
Version: 2.0
Base score: 2.6
Base severity: N/A
Vector:
AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
larlarua (VulDB User)
Timeline
EventDate
Advisory disclosed2026-04-28 00:00:00
VulDB entry created2026-04-28 02:00:00
VulDB entry last update2026-04-28 13:50:22
Event: Advisory disclosed
Date: 2026-04-28 00:00:00
Event: VulDB entry created
Date: 2026-04-28 02:00:00
Event: VulDB entry last update
Date: 2026-04-28 13:50:22
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/vuln/359959
vdb-entry
technical-description
https://vuldb.com/vuln/359959/cti
signature
permissions-required
https://vuldb.com/submit/803075
third-party-advisory
https://github.com/xuxueli/xxl-job/issues/3936
exploit
issue-tracking
https://github.com/xuxueli/xxl-job/commit/d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a
patch
https://github.com/xuxueli/xxl-job/releases/tag/v3.4.0
patch
https://github.com/xuxueli/xxl-job/
product
Hyperlink: https://vuldb.com/vuln/359959
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/359959/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/submit/803075
Resource:
third-party-advisory
Hyperlink: https://github.com/xuxueli/xxl-job/issues/3936
Resource:
exploit
issue-tracking
Hyperlink: https://github.com/xuxueli/xxl-job/commit/d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a
Resource:
patch
Hyperlink: https://github.com/xuxueli/xxl-job/releases/tag/v3.4.0
Resource:
patch
Hyperlink: https://github.com/xuxueli/xxl-job/
Resource:
product
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:28 Apr, 2026 | 22:16
Updated At:29 Apr, 2026 | 21:16

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.9LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Secondary2.02.6LOW
AV:N/AC:H/Au:N/C:P/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 2.9
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 2.0
Base score: 2.6
Base severity: LOW
Vector:
AV:N/AC:H/Au:N/C:P/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-99Primarycna@vuldb.com
CWE ID: CWE-99
Type: Primary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/xuxueli/xxl-job/cna@vuldb.com
N/A
https://github.com/xuxueli/xxl-job/commit/d24e4ccd6073cc75305e1d3b9c29bc8db7437e7acna@vuldb.com
N/A
https://github.com/xuxueli/xxl-job/issues/3936cna@vuldb.com
N/A
https://github.com/xuxueli/xxl-job/releases/tag/v3.4.0cna@vuldb.com
N/A
https://vuldb.com/submit/803075cna@vuldb.com
N/A
https://vuldb.com/vuln/359959cna@vuldb.com
N/A
https://vuldb.com/vuln/359959/cticna@vuldb.com
N/A
Hyperlink: https://github.com/xuxueli/xxl-job/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/xuxueli/xxl-job/commit/d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/xuxueli/xxl-job/issues/3936
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/xuxueli/xxl-job/releases/tag/v3.4.0
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/803075
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/359959
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/359959/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2025-7789
Matching Score-8
Assigner-VulDB
ShareView Details
Matching Score-8
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.13% / 32.48%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 15:14
Updated-11 Sep, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xuxueli xxl-job Token Generation IndexController.java makeToken weak password hash

A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-xuxueliXuxueli
Product-xxl-jobxxl-job
CWE ID-CWE-326
Inadequate Encryption Strength
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2025-9263
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 27.12%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 23:02
Updated-11 Sep, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xuxueli xxl-job JobLogController.java getJobsByGroup resource injection

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-xuxueliXuxueli
Product-xxl-jobxxl-job
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-99
Improper Control of Resource Identifiers ('Resource Injection')
CVE-2025-9264
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 26.25%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 23:32
Updated-11 Sep, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xuxueli xxl-job Jobs JobInfoController.java remove resource injection

A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

Action-Not Available
Vendor-xuxueliXuxueli
Product-xxl-jobxxl-job
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-99
Improper Control of Resource Identifiers ('Resource Injection')
CVE-2025-12919
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.05% / 16.36%
||
7 Day CHG~0.00%
Published-09 Nov, 2025 | 20:02
Updated-24 Feb, 2026 | 06:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EverShop Order Order.resolvers.js resource injection

A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-evershopn/a
Product-evershopEverShop
CWE ID-CWE-99
Improper Control of Resource Identifiers ('Resource Injection')
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
Details not found