CVE-2026-3026: Jeewms SSRF Vulnerability in UEditor

CVE-2026-3026 Overview

CVE-2026-3026 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in JEEWMS 3.7, an open-source warehouse management system. The flaw resides in the /plug-in/ueditor/jsp/getRemoteImage.jsp endpoint within the UEditor component. Attackers can manipulate the upfile parameter to coerce the server into issuing arbitrary outbound HTTP requests. The vulnerability requires no authentication and can be triggered remotely over the network. The exploit has been publicly disclosed, and the vendor did not respond to disclosure attempts.

Critical Impact
Unauthenticated attackers can abuse the JEEWMS server to probe internal networks, access cloud metadata services, or interact with otherwise unreachable internal applications.

Affected Products

JEEWMS 3.7 (erzhongxmu distribution)
UEditor component bundled with JEEWMS
Applications exposing /plug-in/ueditor/jsp/getRemoteImage.jsp

Discovery Timeline

2026-02-23 - CVE-2026-3026 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-3026

Vulnerability Analysis

The vulnerability stems from unsafe handling of the upfile parameter in the getRemoteImage.jsp script. UEditor is a rich-text editor that supports fetching remote images via server-side requests. When a client supplies a URL in the upfile parameter, the JEEWMS backend issues an HTTP request to that destination without validating the target host, scheme, or address range.

Because the request originates from the JEEWMS server, attackers can pivot to internal-only services that are not reachable from the public internet. Common SSRF targets include cloud instance metadata endpoints (such as 169.254.169.254), internal administrative panels, databases bound to localhost, and other intranet hosts. The exploit can be initiated remotely without authentication.

Root Cause

The root cause is missing input validation and URL allow-listing in the remote image fetch routine. The JSP handler accepts arbitrary user-controlled URLs and dispatches HTTP requests directly. There is no scheme restriction, no DNS resolution check against internal address ranges, and no destination allow-list, which aligns with CWE-918 (Server-Side Request Forgery).

Attack Vector

An unauthenticated attacker crafts an HTTP request to /plug-in/ueditor/jsp/getRemoteImage.jsp and sets the upfile parameter to an attacker-chosen URL. The JEEWMS server then performs the outbound request and may return content or behavioral cues that leak internal information. Refer to the Notion Analysis of SSRF Vulnerability and VulDB #347382 for additional technical context.

Detection Methods for CVE-2026-3026

Indicators of Compromise

HTTP requests to /plug-in/ueditor/jsp/getRemoteImage.jsp containing upfile parameters pointing to internal IP ranges (RFC1918), localhost, or 169.254.169.254.
Unexpected outbound HTTP requests from the JEEWMS application server to internal hosts or cloud metadata services.
Anomalous DNS resolutions originating from the JEEWMS JVM process for internal hostnames.

Detection Strategies

Inspect web server access logs for requests matching the vulnerable endpoint and flag any upfile value that is not a public image URL.
Deploy WAF rules to block upfile parameters containing internal IP ranges, non-HTTP schemes, or hostnames that resolve to private networks.
Correlate inbound requests to the UEditor endpoint with outbound network telemetry from the JEEWMS host to identify SSRF chains.

Monitoring Recommendations

Enable egress monitoring on the JEEWMS application server and alert on connections to metadata services or internal management interfaces.
Baseline normal outbound traffic from the application tier and trigger alerts on deviations.
Forward web application and network telemetry to a centralized analytics platform for cross-correlation and retention.

How to Mitigate CVE-2026-3026

Immediate Actions Required

Restrict network access to /plug-in/ueditor/jsp/getRemoteImage.jsp at the reverse proxy or WAF until a fix is applied.
Block outbound traffic from the JEEWMS server to cloud metadata endpoints and internal administrative ranges that the application does not require.
Audit recent access logs for exploitation attempts targeting the UEditor endpoint.

Patch Information

No vendor patch is available at the time of publication. The vendor was contacted but did not respond to the disclosure. Organizations should track the VulDB entry #347382 for updates and consider migrating to a maintained alternative if the vendor remains unresponsive.

Workarounds

Disable or remove the UEditor getRemoteImage.jsp handler if the remote image fetch feature is not required.
Implement an egress allow-list on the JEEWMS host that permits only known external image hosts.
Deploy a WAF rule that validates the upfile parameter against a strict allow-list of public domains and rejects internal IP literals and non-HTTP schemes.

bash

# Example WAF rule (ModSecurity) to block SSRF via upfile parameter
SecRule REQUEST_URI "@contains /plug-in/ueditor/jsp/getRemoteImage.jsp" \
  "phase:2,chain,deny,status:403,id:1026302601,msg:'Blocked JEEWMS UEditor SSRF attempt'"
  SecRule ARGS:upfile "@rx (?:127\.0\.0\.1|localhost|169\.254\.169\.254|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|file:|gopher:|dict:)" \
    "t:lowercase"