CVE-2026-1549 is a path traversal vulnerability identified in the jishenghua jshERP product, affecting all versions up to 3.6. The vulnerability resides in the PluginController component, specifically within the /jshERP-boot/plugin/uploadPluginConfigFile endpoint. An attacker can manipulate the configFile parameter to perform directory traversal attacks, enabling access to files outside the intended directory scope. This can lead to unauthorized reading of sensitive configuration or system files on the server hosting the ERP application. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The vendor was informed early via an issue report but has not yet provided a patch or official response. The CVSS 4.0 base score is 5.3, indicating medium severity, with attack vector network, low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality, as attackers can read files they should not access, but does not directly affect integrity or availability. No known exploits are currently observed in the wild, but public exploit code is available, increasing the likelihood of exploitation. The vulnerability highlights the need for secure input validation and access control in ERP systems, which are critical for business operations and often contain sensitive corporate data.

For European organizations using jshERP, this vulnerability poses a risk of unauthorized disclosure of sensitive business and configuration data, potentially leading to further attacks such as credential theft, espionage, or disruption of business processes. ERP systems often integrate multiple business functions, so exposure of configuration files could reveal internal network structures or credentials. The remote exploitability without authentication means attackers can target exposed ERP instances directly over the internet, increasing risk especially for organizations with insufficient perimeter defenses. Confidentiality breaches could result in regulatory non-compliance, especially under GDPR, leading to legal and financial consequences. The medium severity score reflects a moderate but tangible threat that could be leveraged in multi-stage attacks. The lack of vendor response and patch availability increases exposure time. Organizations relying on jshERP for critical operations should consider this vulnerability a priority for risk management and incident prevention.

Until an official patch is released, European organizations should implement several specific mitigations: 1) Restrict network access to the /jshERP-boot/plugin/uploadPluginConfigFile endpoint using firewalls or web application firewalls (WAFs) to limit exposure to trusted IPs only. 2) Implement strict input validation and sanitization at the application or proxy level to block path traversal patterns such as '../' sequences in the configFile parameter. 3) Monitor logs for suspicious access patterns targeting the vulnerable endpoint to detect exploitation attempts early. 4) Employ network segmentation to isolate ERP servers from public networks and limit lateral movement if compromised. 5) Review and harden file system permissions on ERP servers to minimize the impact of unauthorized file access. 6) Consider deploying runtime application self-protection (RASP) tools to detect and block exploitation attempts in real time. 7) Engage with the vendor for updates and subscribe to vulnerability advisories to apply patches promptly once available. 8) Conduct internal security assessments and penetration tests focusing on ERP systems to identify other potential weaknesses.