PT-2025-50953

Name of the Vulnerable Software and Affected Versions jshERP versions 3.5 and earlier Description The software is susceptible to a stored cross-site scripting XSS issue. Attackers can exploit this by uploading PDF files containing malicious XSS payloads. These files are then accessible through...

CVE-2025-51744

An issue was discovered in jishenghua JSHERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51742

An issue was discovered in jishenghua JSHERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject, introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads...

CVE-2025-51746

An issue was discovered in jishenghua JSHERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51744

An issue was discovered in jishenghua JSHERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51745

An issue was discovered in jishenghua JSHERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51743

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51742

An issue was discovered in jishenghua JSHERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject, introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads...

CVE-2025-51742

An issue was discovered in jishenghua JSHERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject, introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads...

CVE-2025-51744

An issue was discovered in jishenghua JSHERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51744

An issue was discovered in jishenghua JSHERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51746

CVE-2025-51746 affects jishenghua JSH_ERP 2.3.1. The vulnerability is in the /serialNumber/addSerialNumber endpoint and arises from fastjson deserialization, with CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (base score 9.8, CRITICAL). Exploitation details are not provided in the connected docu...

CVE-2025-51745

CVE-2025-51745 affects jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks due to the deserialization flaw in that endpoint. The CVSS metrics indicate a high-severity, network-exposed chain with no user interaction and total impact on confidential...

CVE-2025-51742

An issue was discovered in jishenghua JSHERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject, introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads...

CVE-2025-51743

Affected product: jishenghua JSH_ERP 2.3.1. The vulnerability is in the /materialCategory/addMaterialCategory endpoint and is caused by a fastjson deserialization flaw. Impact is described as high in CVSS (CRITICAL, 9.8) with network access, no authentication, and no user interaction. No exploita...

PT-2025-48081

An issue was discovered in jishenghua JSH ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject, introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads...

CVE-2025-51745

An issue was discovered in jishenghua JSHERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-51743

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

EUVD-2025-35868

jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution RCE vulnerability via the jsherp function...

jshERP 安全漏洞

jshERP Huaxia ERP is a homegrown ERP system by the personal developer of Ji Sheng Hua in China. A security vulnerability exists in jshERP version v3.5, which stems from improper access control in the PersonController.java component and could lead to access to processor information...