CVE-2026-1549 is a path traversal vulnerability discovered in the jishenghua jshERP product, affecting all versions up to 3.6. The vulnerability resides in the PluginController component, specifically within the /jshERP-boot/plugin/uploadPluginConfigFile endpoint. The issue arises from insufficient validation or sanitization of the configFile parameter, which an attacker can manipulate to traverse directories on the server's filesystem. This allows unauthorized access to files outside the intended directory scope. The vulnerability can be exploited remotely over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 5.3, reflecting medium severity, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. Although no patches have been released and the vendor has not responded to the issue report, a public exploit exists, making timely mitigation critical. The vulnerability could lead to unauthorized disclosure of sensitive files such as configuration files, credentials, or other critical data stored on the server, potentially facilitating further attacks or system compromise.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information due to path traversal, which can compromise confidentiality. Attackers can read arbitrary files on the affected server, potentially exposing credentials, configuration details, or other sensitive data. This exposure can lead to further exploitation, including privilege escalation or lateral movement within an organization's network. Since the vulnerability is remotely exploitable without authentication or user interaction, it poses a significant risk to any organization using affected versions of jshERP, especially those exposing the vulnerable endpoint to untrusted networks. The lack of vendor response and patch availability increases the window of exposure. Organizations in sectors relying heavily on jshERP for enterprise resource planning may face operational disruptions, data breaches, and compliance violations if exploited.

1. Immediately restrict external access to the /jshERP-boot/plugin/uploadPluginConfigFile endpoint via network controls such as firewalls or web application firewalls (WAFs) to limit exposure. 2. Implement strict input validation and sanitization on the configFile parameter to prevent directory traversal sequences (e.g., ../). 3. Employ least privilege principles for the jshERP application process to minimize file system access rights, limiting the impact of potential exploitation. 4. Monitor logs for suspicious requests targeting the vulnerable endpoint, especially those containing traversal patterns. 5. If possible, deploy virtual patching through WAF rules that detect and block path traversal attempts. 6. Engage with the vendor or community to obtain or develop patches or updates addressing this vulnerability. 7. Consider isolating the jshERP instance in a segmented network zone to reduce potential lateral movement. 8. Regularly back up critical data and configurations to enable recovery in case of compromise. 9. Educate system administrators about this vulnerability and ensure timely application of any future patches.