CVE-2026-1546

A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads ...

PT-2026-5231

Name of the Vulnerable Software and Affected Versions jishenghua jshERP versions up to 3.6 Description A security issue exists in jishenghua jshERP. The getBillItemByParam function within the com.jsh.erp.datasource.mappers.DepotItemMapperEx component, located in the file...

PT-2025-50955

Name of the Vulnerable Software and Affected Versions jshERP versions prior to 3.5 Description The software is susceptible to a stored Cross Site Scripting XSS issue. The vulnerability exists through the /msg/add API endpoint. An attacker could potentially inject malicious scripts that are then...

EUVD-2025-25417

Malicious code in bioql PyPI...

EUVD-2025-25427

Malicious code in bioql PyPI...

EUVD-2024-21429

Malicious code in bioql PyPI...

CVE-2025-55367

Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account...

CVE-2025-55371

Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method...

CVE-2025-55368

Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account...

CVE-2025-55371

Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method...

CVE-2025-55370

Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value...

CVE-2025-55368

Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account...

CVE-2025-55366

CVE-2025-55366 affects jshERP v3.5; improper access control in the UserController.java component (controller\UserController.java) allows attackers to arbitrarily reset user passwords and perform horizontal privilege escalation. Affected software/version is jshERP 3.5; underlying cause is access c...

PT-2025-34222 · Jsherp · Jsherp

Name of the Vulnerable Software and Affected Versions: jshERP version 3.5 Description: An incorrect access control issue exists in the controllerResourceController.java component of jshERP version 3.5. This allows unauthorized attackers to obtain all corresponding ID data by modifying the ID valu...

CVE-2025-55370

CVE-2025-55370 affects jshERP v3.5. The vulnerability arises from incorrect access control in the ResourceController.java component, allowing unauthorized attackers to modify an ID value to retrieve all related ID data. Root cause is improper access control in the controller code, with high sever...

CVE-2025-55371

Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method...

CVE-2025-55370

Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value...

CVE-2025-8840

Summary (CVE-2025-8840, jshERP): Up to version 3.5, jshERP’s Endpoint component exposes an authorization flaw in the file /jshERP-boot/user/deleteBatch where manipulation of the argument ids enables a remote attack. Public exploit disclosure is noted. Several sources corroborate an improper autho...

CVE-2024-24003

jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount function of jshERP does not filter column and order parameters well enough, and an attacker can construct malicious payload to bypass jshERP's...

CVE-2024-24002

jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock function of jshERP does not filter column and order parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection...