CVE-2026-1746 identifies a SQL injection vulnerability in JeecgBoot version 3.9.0, a rapid development platform widely used for enterprise applications. The flaw exists in the Online Report API component, specifically within the endpoint /JeecgBoot/sys/api/loadDictItemByKeyword. The vulnerability is triggered by malicious manipulation of the 'keyword' argument, which is not properly sanitized before being incorporated into SQL queries. This lack of input validation enables attackers to craft SQL injection payloads that can be executed remotely without requiring authentication or user interaction. Exploiting this vulnerability could allow attackers to read, modify, or delete sensitive data stored in the backend database, potentially leading to data breaches or further system compromise. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation and the limited privileges required (low privileges), but with limited impact on confidentiality, integrity, and availability. The vendor was notified early but has not issued a patch or response, and a public exploit is available, increasing the urgency for organizations to implement mitigations. This vulnerability affects only version 3.9.0 of JeecgBoot, and no patches or updates have been officially released at the time of disclosure.

The SQL injection vulnerability in JeecgBoot 3.9.0 poses significant risks to organizations relying on this platform for enterprise applications. Successful exploitation can lead to unauthorized access to sensitive data, including confidential business information and user data, undermining confidentiality. Attackers may also alter or delete data, impacting data integrity and potentially disrupting business operations. While the vulnerability does not directly affect system availability, the consequences of data manipulation or exfiltration can cause operational and reputational damage. Given the remote exploitability without authentication or user interaction, attackers can launch attacks at scale, increasing the threat surface. Organizations with JeecgBoot deployments in critical sectors such as finance, healthcare, and government are particularly at risk due to the sensitivity of their data and regulatory compliance requirements. The lack of vendor response and available public exploits further elevate the threat level, necessitating immediate attention to prevent potential breaches.

To mitigate CVE-2026-1746, organizations should first assess their use of JeecgBoot version 3.9.0 and identify any exposed instances of the vulnerable Online Report API endpoint. Since no official patch is currently available, immediate mitigations include implementing Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting the 'keyword' parameter. Input validation and sanitization should be enforced at the application level, employing parameterized queries or prepared statements to prevent injection attacks. Restricting access to the vulnerable API endpoint through network segmentation, IP whitelisting, or VPN access can reduce exposure. Monitoring logs for suspicious query patterns and anomalous database activity is critical for early detection of exploitation attempts. Organizations should also engage with the JeecgBoot community or vendors for updates and patches and plan for timely upgrades once fixes are released. Finally, conducting security audits and penetration testing focused on injection vulnerabilities can help identify and remediate similar weaknesses proactively.