Platform
java
Component
jsherp
Fixed in
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
CVE-2026-1588 is a Path Traversal vulnerability affecting jshERP versions 3.0 through 3.6. This flaw allows attackers to potentially access unauthorized files and directories within the system. The vulnerability resides in the install function of the com.gitee.starblues.integration.operator.DefaultPluginOperator component, specifically within the /jshERP-boot/plugin/installByPath file. A public proof-of-concept exists, and the project has not yet responded to the reported issue.
The primary impact of CVE-2026-1588 is unauthorized access to files and directories on the server hosting jshERP. An attacker could leverage this vulnerability to read sensitive configuration files, source code, or other data that could be used to further compromise the system. While the CVSS score is LOW (2.7), the public availability of a proof-of-concept significantly increases the risk of exploitation. Successful exploitation could lead to data breaches, system disruption, and potential lateral movement within the network if the compromised files contain credentials or other sensitive information.
CVE-2026-1588 has been publicly disclosed and a proof-of-concept is available, indicating a higher probability of exploitation. It is not currently listed on CISA KEV. The vulnerability's simplicity and the availability of a PoC suggest that attackers may actively target systems running vulnerable versions of jshERP. The lack of a response from the project increases the urgency of implementing mitigation measures.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a provided fix, immediate mitigation strategies are crucial. Implement strict access controls to limit the potential damage from unauthorized file access. Consider using a Web Application Firewall (WAF) to filter requests and block attempts to exploit the path traversal vulnerability. Monitor system logs for suspicious activity, particularly requests containing directory traversal sequences (e.g., ../). While a direct patch is unavailable, regularly review and harden the jshERP configuration to minimize the attack surface. Verification after implementing these measures should involve attempting to access restricted files via the vulnerable endpoint and confirming access is denied.
Update jshERP to a version later than 3.6 that fixes the path traversal vulnerability. If no version is available, it is recommended to contact the vendor for a patch or alternative solution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1588 is a Path Traversal vulnerability in jshERP versions 3.0–3.6, allowing attackers to potentially access unauthorized files via the install function.
You are affected if you are running jshERP versions 3.0 through 3.6 and have not implemented mitigating controls.
A patch is not currently available. Implement WAF rules, access controls, and monitor logs as immediate mitigations.
A public proof-of-concept exists, suggesting a potential for active exploitation.
The project has not yet responded to the reported issue. Monitor the jshERP project's website and GitHub repository for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.