CVE-2026-36418

CRITICAL NVD

CVSS Score 9.1

Severity CRITICAL

Published Jun 17, 2026

Vendor unknown

Description

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.

References

https://github.com/Catherines77/code-au/blob/main/jimureport/aviator.md
https://github.com/Catherines77/code-au/blob/main/jimureport/aviator.md