{"id":"CVE-2025-61189","details":"Jeecgboot versions 3.8.2 and earlier are affected by a path traversal vulnerability. The endpoint is /sys/comment/addFile. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.","modified":"2026-04-10T05:32:33.760534Z","published":"2025-10-01T20:18:39.163Z","references":[{"type":"REPORT","url":"https://github.com/jeecgboot/JeecgBoot/issues/8827"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jeecgboot/jeecg-boot","events":[{"introduced":"0"},{"last_affected":"925f1637844eb0a158a7e78f544b93aff66c1644"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.8.2"}]}}],"versions":["2.2.0","2.3.0","2.4.0","2.4.1","2.4.5","v2.0.2","v2.1.0","v2.1.1","v2.1.3","v2.1.4","v2.2.1","v2.3","v2.3.0","v2.4.1","v2.4.2","v2.4.3","v2.4.5","v2.4.6","v3.0","v3.0.0","v3.1.0","v3.2.0","v3.4.0","v3.4.2","v3.4.3","v3.4.3last","v3.4.4","v3.4.4last","v3.5.0","v3.5.1","v3.5.1last","v3.5.3","v3.5.5","v3.5.5last","v3.6.0","v3.6.1","v3.6.2","v3.6.2last","v3.6.3","v3.6.3last","v3.7.0","v3.7.0_all","v3.7.0_all_last","v3.7.0last_springboot3","v3.7.1","v3.7.1last","v3.7.2","v3.7.3","v3.8.0","v3.8.0last","v3.8.1","v3.8.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61189.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}]}