关键漏洞信息 CVE ID: CVE-2026-1549 VDB ID: VDB-343245 CVSS Meta Temp Score: 3.9 Current Exploit Price: $0-$5k CTI Interest Score: 1.88 Affected Version: jishenghua jshERP up to 3.6 Affected Component: /jshERP-boot/plugin/uploadPluginConfigFile Vulnerability Type: Path Traversal Attack Vector: Remote Severity: Critical Exploit Availability: Available Vendor Response: No response yet to the issue report Summary A critical vulnerability was found in jishenghua jshERP up to 3.6. The vulnerability affects the file in the component. Manipulating the argument leads to path traversal. Remote exploitation is possible, and an exploit is available. Details The vulnerability is classified as problematic and affects an unknown function of the file . The manipulation of the argument with an unknown input leads to a path traversal vulnerability. CWE classifies this issue as CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory, but it does not properly neutralize special elements within the pathname, causing it to resolve to a location outside the restricted directory. This impacts confidentiality. The advisory is shared at github.com. The exploitability is easy, and it is possible to initiate the attack remotely. Technical details and a public exploit are known. MITRE ATT&CK uses the attack technique T1006 for this issue.