CVE-2026-1746 identifies a SQL injection vulnerability in JeecgBoot version 3.9.0, a Java-based rapid development platform. The flaw resides in the Online Report API, specifically in the /JeecgBoot/sys/api/loadDictItemByKeyword endpoint, where the 'keyword' parameter is improperly sanitized. This allows remote attackers to inject malicious SQL queries, potentially leading to unauthorized data access, data modification, or denial of service. The attack vector requires no authentication or user interaction, making it easier to exploit remotely. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to limited scope and partial impact on confidentiality, integrity, and availability. The vendor has not issued a patch or response, but public exploit code is available, increasing the threat landscape. The absence of vendor mitigation necessitates immediate defensive actions by users. This vulnerability can compromise backend databases, exposing sensitive information or disrupting service continuity in affected deployments.

For European organizations, this vulnerability poses a significant risk to any systems running JeecgBoot 3.9.0, particularly those exposing the vulnerable API endpoint to external networks. Exploitation could lead to unauthorized data disclosure, data tampering, or service outages, impacting business operations and regulatory compliance, especially under GDPR. Organizations in sectors such as finance, healthcare, and public administration that rely on JeecgBoot for internal or customer-facing applications could face reputational damage and legal consequences if sensitive data is leaked. The availability of public exploits increases the likelihood of attacks, potentially leading to widespread compromise. The medium severity rating indicates a moderate but tangible threat that requires prompt attention to prevent escalation.

1. Immediately audit all JeecgBoot 3.9.0 deployments to identify exposed instances of the /JeecgBoot/sys/api/loadDictItemByKeyword endpoint. 2. Implement strict input validation and parameterized queries or prepared statements to sanitize the 'keyword' parameter and prevent SQL injection. 3. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. 4. Restrict external access to the vulnerable API endpoint where possible, limiting exposure to trusted networks only. 5. Monitor logs for suspicious activity related to the 'keyword' parameter and unusual database queries. 6. Engage with the JeecgBoot community or maintainers to track any forthcoming patches or updates. 7. Consider upgrading to a later, patched version once available or applying community-developed fixes. 8. Conduct security awareness training for developers to avoid similar injection flaws in future development.