CVE-2026-7305: Server-Side Request Forgery in Xuxueli xxl-job
A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
AI Analysis
Technical Summary
Xuxueli xxl-job versions 3.3.0 through 3.3.2 contain a server-side request forgery vulnerability in the triggerJob function of the trigger endpoint. This vulnerability is due to improper validation of the addressList parameter, which can be manipulated to cause SSRF. The vulnerability can be exploited remotely without user interaction but requires some level of privileges (PR:L). The project maintainer argues that the trigger functionality is manually activated and protected by login and access control, casting doubt on the vulnerability's practical exploitability. No official patch or fix has been released, and the pull request addressing the issue was rejected.
Potential Impact
Successful exploitation could allow an attacker with limited privileges to cause the server to make arbitrary HTTP requests, potentially accessing internal resources or services not otherwise reachable. However, because the trigger requires manual activation and login access, the risk is mitigated by existing access controls. There are no known exploits in the wild. The overall impact is rated medium severity with a CVSS 4.0 score of 5.3.
Mitigation Recommendations
No official patch or remediation is currently available. The project maintainer indicates that the trigger functionality requires login and access control, which reduces the risk. Organizations should ensure that access to the trigger endpoint is properly restricted to authorized users only. Monitor vendor advisories for any future updates or patches addressing this issue. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-7305: Server-Side Request Forgery in Xuxueli xxl-job
Description
A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Xuxueli xxl-job versions 3.3.0 through 3.3.2 contain a server-side request forgery vulnerability in the triggerJob function of the trigger endpoint. This vulnerability is due to improper validation of the addressList parameter, which can be manipulated to cause SSRF. The vulnerability can be exploited remotely without user interaction but requires some level of privileges (PR:L). The project maintainer argues that the trigger functionality is manually activated and protected by login and access control, casting doubt on the vulnerability's practical exploitability. No official patch or fix has been released, and the pull request addressing the issue was rejected.
Potential Impact
Successful exploitation could allow an attacker with limited privileges to cause the server to make arbitrary HTTP requests, potentially accessing internal resources or services not otherwise reachable. However, because the trigger requires manual activation and login access, the risk is mitigated by existing access controls. There are no known exploits in the wild. The overall impact is rated medium severity with a CVSS 4.0 score of 5.3.
Mitigation Recommendations
No official patch or remediation is currently available. The project maintainer indicates that the trigger functionality requires login and access control, which reduces the risk. Organizations should ensure that access to the trigger endpoint is properly restricted to authorized users only. Monitor vendor advisories for any future updates or patches addressing this issue. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-28T11:45:12.858Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f1649ccbff5d861047ebdf
Added to database: 4/29/2026, 1:53:32 AM
Last enriched: 4/29/2026, 2:00:16 AM
Last updated: 4/29/2026, 5:43:36 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.