jeesite CVE Vulnerabilities & Metrics

Focus on jeesite vulnerabilities and metrics.

Last updated: 25 Nov 2025, 23:25 UTC

About jeesite Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with jeesite. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total jeesite CVEs: 11
Earliest CVE date: 23 Jul 2019, 14:15 UTC
Latest CVE date: 01 Sep 2025, 22:15 UTC

Latest CVE reference: CVE-2025-9796

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical jeesite CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.82

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	5
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS jeesite CVEs

These are the five CVEs with the highest CVSS scores for jeesite, sorted by severity first and recency.

CVE-2020-19229 jeesite Published on 05 Apr 2022, 16:15 UTC (CVSS: 7.5)
Jeesite 1.2.7 uses the apache shiro version 1.2.3 affected by CVE-2016-4437. Because of this version of the java deserialization vulnerability, an attacker could exploit the vulnerability to execute arbitrary commands via the rememberMe parameter.
CVE-2025-7759 jeesite Published on 17 Jul 2025, 22:15 UTC (CVSS: 6.5)
A vulnerability was identified in thinkgem JeeSite up to 5.12.0. This vulnerability affects unknown code of the file modules/core/src/main/java/com/jeesite/common/ueditor/ActionEnter.java of the component UEditor Image Grabber. Such manipulation of the argument Source leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be us...
CVE-2024-8112 jeesite Published on 23 Aug 2024, 15:15 UTC (CVSS: 5.0)
A vulnerability was found in thinkgem JeeSite 5.3. It has been rated as problematic. This issue affects some unknown processing of the file /js/a/login of the component Cookie Handler. The manipulation of the argument skinName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-9796 jeesite Published on 01 Sep 2025, 22:15 UTC (CVSS: 4.0)
A vulnerability was found in thinkgem JeeSite up to 5.12.1. This affects the function decodeUrl2 of the file common/src/main/java/com/jeesite/common/codec/EncodeUtils.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 5.13.0 mitigates this issue. The patch is identified as...
CVE-2019-1010201 jeesite Published on 23 Jul 2019, 18:15 UTC (CVSS: 4.0)
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later.

All CVEs for jeesite

CVE-2025-9796 jeesite vulnerability CVSS: 4.0 01 Sep 2025, 22:15 UTC

A vulnerability was found in thinkgem JeeSite up to 5.12.1. This affects the function decodeUrl2 of the file common/src/main/java/com/jeesite/common/codec/EncodeUtils.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 5.13.0 mitigates this issue. The patch is identified as 63773c97a56bdb3649510e83b66c16db4754965b. Upgrading the affected component is recommended.

CVE-2025-7759 jeesite vulnerability CVSS: 6.5 17 Jul 2025, 22:15 UTC

A vulnerability was identified in thinkgem JeeSite up to 5.12.0. This vulnerability affects unknown code of the file modules/core/src/main/java/com/jeesite/common/ueditor/ActionEnter.java of the component UEditor Image Grabber. Such manipulation of the argument Source leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The name of the patch is 1c5e49b0818037452148e0f8ff69ed04cb8fefdc. It is advisable to implement a patch to correct this issue.

CVE-2024-8112 jeesite vulnerability CVSS: 5.0 23 Aug 2024, 15:15 UTC

A vulnerability was found in thinkgem JeeSite 5.3. It has been rated as problematic. This issue affects some unknown processing of the file /js/a/login of the component Cookie Handler. The manipulation of the argument skinName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2023-38991 jeesite vulnerability CVSS: 0 04 Aug 2023, 00:15 UTC

An issue in the delete function in the ActModelController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete models created by the Administrator.

CVE-2023-38990 jeesite vulnerability CVSS: 0 02 Aug 2023, 00:15 UTC

An issue in the delete function in the MenuController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete menus created by the Administrator.

CVE-2023-38989 jeesite vulnerability CVSS: 0 31 Jul 2023, 18:15 UTC

An issue in the delete function in the UserController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete the Administrator's role information.

CVE-2023-38988 jeesite vulnerability CVSS: 0 28 Jul 2023, 21:15 UTC

An issue in the delete function in the OaNotifyController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete notifications created by Administrators.

CVE-2023-34601 jeesite vulnerability CVSS: 0 22 Jun 2023, 11:15 UTC

Jeesite before commit 10742d3 was discovered to contain a SQL injection vulnerability via the component ${businessTable} at /act/ActDao.xml.

CVE-2020-19229 jeesite vulnerability CVSS: 7.5 05 Apr 2022, 16:15 UTC

Jeesite 1.2.7 uses the apache shiro version 1.2.3 affected by CVE-2016-4437. Because of this version of the java deserialization vulnerability, an attacker could exploit the vulnerability to execute arbitrary commands via the rememberMe parameter.

CVE-2019-1010201 jeesite vulnerability CVSS: 4.0 23 Jul 2019, 18:15 UTC

Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later.

CVE-2019-1010202 jeesite vulnerability CVSS: 4.0 23 Jul 2019, 14:15 UTC

Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later.