Jishenghua Jsherp
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Jishenghua Jsherp.
By the Year
In 2026 there have been 4 vulnerabilities in Jishenghua Jsherp with an average score of 4.5 out of ten. Last year, in 2025 Jsherp had 2 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.80
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 4 | 4.50 |
| 2025 | 2 | 7.30 |
| 2024 | 4 | 9.80 |
It may take a day or so for new Jsherp vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jishenghua Jsherp Security Vulnerabilities
jishenghua jshERP <=3.6 SSRF via updatePlatformConfigByKey Endpoint
CVE-2026-8320
4.7 - Medium
- May 11, 2026
A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the component updatePlatformConfigByKey Endpoint. Such manipulation of the argument weixinUrl leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
SSRF
jishenghua jshERP <=3.6 Path Traversal via installByPath
CVE-2026-1588
2.7 - Low
- January 29, 2026
A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Directory traversal
CVE-2026-1549 jshERP 3.6 PT via /uploadPluginConfigFile
CVE-2026-1549
4.3 - Medium
- January 28, 2026
A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Directory traversal
SQLi in jshERP (3.6) getBillItemByParam via barCodes
CVE-2026-1546
6.3 - Medium
- January 28, 2026
A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
SQL Injection
jshERP 3.5 Weak Password Recovery Remote Exploit
CVE-2025-7948
6.5 - Medium
- July 22, 2025
A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Weak Password Recovery Mechanism for Forgotten Password
jshERP 3.5 Account Handler ID RCE via /user/delete (Critical)
CVE-2025-7947
8.1 - High
- July 22, 2025
A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Insecure Direct Object Reference / IDOR
SQLI in jshERP v3.3 via DepotHeadController findInOutMaterialCount
CVE-2024-24003
9.8 - Critical
- February 08, 2024
jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.
SQL Injection
jshERP v3.3 SQLi in DepotHeadController via column/order param
CVE-2024-24004
9.8 - Critical
- February 07, 2024
jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.
SQL Injection
jshERP v3.3 SQLi via unsanitized column/order params
CVE-2024-24002
9.8 - Critical
- February 07, 2024
jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.
SQL Injection
jshERP 3.3 SQL Injection via DepotHeadController
CVE-2024-24001
9.8 - Critical
- February 07, 2024
jshERP v3.3 is vulnerable to SQL Injection. via the com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findallocationDetail() function of jshERP which allows an attacker to construct malicious payload to bypass jshERP's protection mechanism.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Jishenghua Jsherp or by Jishenghua? Click the Watch button to subscribe.
