CVE-2025-66913

CriticalPublic PoC

Published: 08 January 2026

Published

08 January 2026

Modified

30 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0058 69.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A…

different vulnerability than CVE-2025-10770.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user-controlled H2 JDBC URLs to prevent injection of malicious directives that trigger arbitrary Java code execution.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching or upgrading of JimuReport to remediate the specific flaw allowing RCE via unvalidated JDBC URLs.

SI-16 Memory Protection partial match

prevent

Implements memory protections to mitigate the impact of arbitrary code execution even if a malicious JDBC URL is processed by the H2 driver.

Security SummaryAI

CVE-2025-66913 is a remote code execution vulnerability affecting JimuReport through version 2.1.3. The flaw occurs when the application processes user-controlled H2 JDBC URLs, passing the attacker-supplied URL directly to the H2 driver. This allows the use of specific directives to execute arbitrary Java code. Published on 2026-01-08, the vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code). It is distinct from CVE-2025-10770.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a specially crafted H2 JDBC URL, the attacker triggers the H2 driver to execute arbitrary Java code on the server, potentially leading to full system compromise with high impacts on confidentiality, integrity, and availability.

Mitigation details are available in the provided references, including a GitHub issue at https://github.com/jeecgboot/jimureport/issues/4306 and a Gist at https://gist.github.com/Catherines77/f15d53e9705b24cf018e5bffed3e8234, which discuss the vulnerability and potential patches or workarounds for affected JimuReport versions.

Details

CWE(s): CWE-94

Affected Products

jeecg

jimureport

≤ 2.1.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-66913 enables remote unauthenticated RCE in a public-facing web application (JimuReport) via crafted H2 JDBC URLs, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://gist.github.com/Catherines77/f15d53e9705b24cf018e5bffed3e8234
Third Party Advisory · cve@mitre.org
https://github.com/jeecgboot/jimureport/issues/4306
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org