How is CVE-2026-36418 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the JimuReport service. Authentication (not-required): The /jmreport/executeSelectApi endpoint accepts unauthenticated requests, so no account or credential is needed to submit a malicious payload. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or interaction is required to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or specific memory layout to succeed.

What is the impact of CVE-2026-36418?

Attacker executes arbitrary code in the context of the JimuReport server process, gaining full control over whatever the process is permitted to do on the host. Attacker reads any data accessible to the server process, including configuration files, credentials, database connection strings, and stored report data. Attacker writes or modifies files and data reachable by the server process, including report definitions, application configuration, and any writable storage.

Back to search

CRITICALCVE-2026-36418Published 2026-06-17Modified 2026-06-17CNA mitre

CVE-2026-36418: JimuReport versions 2

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Remote code execution vulnerability in JimuReport versions 2.3.4 and below allows unauthenticated network attackers to run arbitrary code on the server. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without validation, so any attacker who can reach the service over the network can craft a malicious expression payload. Successful exploitation gives the attacker arbitrary code execution on the host, with full read and write access to data the process can reach. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that embed JimuReport.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and surfaces it with that severity weighting in each customer environment; per-environment compliance policies can further weight or escalate the finding, and routing rules direct alerts to the appropriate team inbox within each customer org.

Available

Patch

No fix version has been published upstream. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention at that time.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the JimuReport service.
AuthenticationNot required
The /jmreport/executeSelectApi endpoint accepts unauthenticated requests, so no account or credential is needed to submit a malicious payload.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or interaction is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or specific memory layout to succeed.

Blast Radius

Attacker executes arbitrary code in the context of the JimuReport server process, gaining full control over whatever the process is permitted to do on the host.
Attacker reads any data accessible to the server process, including configuration files, credentials, database connection strings, and stored report data.
Attacker writes or modifies files and data reachable by the server process, including report definitions, application configuration, and any writable storage.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-36418 is active and will flag any image containing an affected JimuReport version (2.3.4 and below) as it is scanned. Because no upstream fix version exists at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically for customers with auto-remediation enabled as soon as a fix is published. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the /jmreport/executeSelectApi endpoint to trusted sources only, egress filtering on containers running JimuReport to limit lateral movement if the service is compromised, and feature-flag or reverse-proxy gating to disable or authenticate the endpoint until a patch is available. The critical CVSS score of 9.1 means this finding is routed at the highest severity tier in HarborGuard triage queues.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

github.com

Metrics

Get notified