JeecgBoot SQLi Flaw CVE-2026-8114 Exploit Publicly Available

Executive Summary

A SQL injection vulnerability tracked as CVE-2026-8114 (CVSS 6.5) affects JeecgBoot versions up to 3.9.1, a popular open-source low-code development platform used primarily in China for enterprise application development. The flaw resides in the /sys/dict/loadTreeData endpoint, where the condition parameter is not properly sanitized before being passed to a JSON object handler. An attacker can exploit this remotely without authentication, and exploit code has been publicly released, according to the National Vulnerability Database (NVD) and the vendor's GitHub repository. The vendor, JeecgBoot, has acknowledged the issue in a Chinese-language statement confirming it should be fixed in version 3.9.2.

Technical Analysis

CVE-2026-8114 is a classic SQL injection vulnerability in the loadTreeData function of JeecgBoot's dictionary management module. The endpoint /sys/dict/loadTreeData accepts a condition argument that is processed by a JSON object handler. The handler fails to escape or parameterize user-supplied input before constructing SQL queries, allowing an attacker to inject arbitrary SQL commands.

The vulnerability is exploitable remotely over HTTP, requiring no prior authentication or special privileges. The NVD assessment assigns a CVSS v3.1 base score of 6.5 (Medium), with the vector string indicating network attack vector, low attack complexity, and no privileges required. The impact is primarily on confidentiality and integrity, as successful injection can lead to unauthorized data access or modification.

Crucially, the NVD entry notes that exploit code is publicly available and may be actively used. The vendor's GitHub repository contains a Chinese-language confirmation stating: "It should be fixed in version 3.9.2." The exact commit or patch details have not been published as of this writing, leaving users of versions 3.9.1 and earlier exposed.

JeecgBoot is widely deployed in Chinese enterprises for rapid application development, including government, finance, and manufacturing sectors. The platform's popularity in environments where low-code tools are used to build internal business applications makes this vulnerability particularly concerning for organizations that may not have dedicated security teams reviewing dependencies.

Mitigations & Recommendations

Organizations running JeecgBoot should immediately upgrade to version 3.9.2 or later once it is released. The vendor has confirmed the fix is in development but has not provided a specific release date. In the interim, defenders should implement the following mitigations:

• Restrict network access to the /sys/dict/loadTreeData endpoint to trusted IP ranges only, using web application firewall (WAF) rules or network segmentation.
• Monitor for exploitation attempts by reviewing web server logs for anomalous condition parameters containing SQL keywords (e.g., UNION, SELECT, OR 1=1) directed at the vulnerable endpoint.
• Apply input validation at the reverse proxy or API gateway layer to reject requests with suspicious condition values before they reach the JeecgBoot application.
• Conduct a security audit of any custom applications built on JeecgBoot to identify other potential injection points, as the low-code nature of the platform may introduce additional vulnerabilities.

Given the public availability of exploit code, the window for safe remediation is narrow. Organizations that cannot immediately patch should treat the vulnerability as actively exploitable.