Xuxueli Xuxueli

  1. Vendors
  2. Xuxueli

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Xuxueli product.

RSS Feeds for Xuxueli security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Xuxueli products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Xuxueli Sorted by Most Security Vulnerabilities since 2018

Xuxueli Xxl Job23 vulnerabilities

Xuxueli Xxl Conf1 vulnerability

Xuxueli Xxl Sso1 vulnerability

By the Year

In 2026 there have been 4 vulnerabilities in Xuxueli with an average score of 5.5 out of ten. Last year, in 2025 Xuxueli had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Xuxueli in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.13




Year Vulnerabilities Average Score
2026 4 5.48
2025 4 5.60
2024 3 9.13
2023 8 7.16
2022 5 8.32
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 1 0.00

It may take a day or so for new Xuxueli vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Xuxueli Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-7306 Apr 28, 2026
XXL-Job 3.3.2 OpenAPI Endpoint Default_Token Hard-Coded Key Remote A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.
Xxl Job
CVE-2026-7305 Apr 28, 2026
XXL-JOB SSRF via triggerJob up to 3.3.2 - Xuxueli xxl-job A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
Xxl Job
CVE-2026-7303 Apr 28, 2026
XXL-JOB logDetailCat logId identifier control vulnerability (<3.4.0, fixed 3.4.0) A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.
Xxl Job
CVE-2026-3733 Mar 08, 2026
xxl-job 3.3.2 SSRF via JobInfoController - Xuxueli A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unknown function of the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The exploit is now public and may be used. The project maintainer closed the issue report with the following statement: "Access token security verification is required." (translated from Chinese)
Xxl Job
CVE-2025-7789 Jul 18, 2025
XXL-Job 3.1.1 TokenGen Weak Hash Remotely A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
Xxl Job
CVE-2025-7788 Jul 18, 2025
Xuxueli Xxl-Job <=3.1.1 remote OS Command Injection A vulnerability has been found in Xuxueli xxl-job up to 3.1.1 and classified as critical. Affected by this vulnerability is the function commandJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Xxl Job
CVE-2025-7787 Jul 18, 2025
XXL-Job <3.1.1 SSRF via httpJobHandler (Critical) A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Xxl Job
CVE-2025-6701 Jun 26, 2025
Open Redirect in Xuxueli xxl-sso 1.1.0 via /doLogin A vulnerability, which was classified as problematic, has been found in Xuxueli xxl-sso 1.1.0. This issue affects some unknown processing of the file /xxl-sso-server/doLogin. The manipulation of the argument redirect_url leads to open redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Xxl Sso
CVE-2024-42681 Aug 15, 2024
Xxl-Job v2.4.1 Insecure Permissions in Sub-Task ID (RCE) Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.
Xxl Job
CVE-2024-3366 Apr 06, 2024
XXL-Job <2.4.1 Serialization Deserialization Injection (Template Handler) A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480.
Xxl Job
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.