CVE-2025-66913

CriticalPublic PoCRCE

Published: 08 January 2026

Published

08 January 2026

Modified

30 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0075 73.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66913 is a critical-severity Code Injection (CWE-94) vulnerability in Jeecg Jimureport. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user-controlled H2 JDBC URLs to prevent injection of malicious directives that trigger arbitrary Java code execution.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching or upgrading of JimuReport to remediate the specific flaw allowing RCE via unvalidated JDBC URLs.

SI-16 Memory Protection partial match

prevent

Implements memory protections to mitigate the impact of arbitrary code execution even if a malicious JDBC URL is processed by the H2 driver.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-66913 enables remote unauthenticated RCE in a public-facing web application (JimuReport) via crafted H2 JDBC URLs, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A…

different vulnerability than CVE-2025-10770.

Deeper analysisAI

CVE-2025-66913 is a remote code execution vulnerability affecting JimuReport through version 2.1.3. The flaw occurs when the application processes user-controlled H2 JDBC URLs, passing the attacker-supplied URL directly to the H2 driver. This allows the use of specific directives to execute arbitrary Java code. Published on 2026-01-08, the vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code). It is distinct from CVE-2025-10770.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a specially crafted H2 JDBC URL, the attacker triggers the H2 driver to execute arbitrary Java code on the server, potentially leading to full system compromise with high impacts on confidentiality, integrity, and availability.

Mitigation details are available in the provided references, including a GitHub issue at https://github.com/jeecgboot/jimureport/issues/4306 and a Gist at https://gist.github.com/Catherines77/f15d53e9705b24cf018e5bffed3e8234, which discuss the vulnerability and potential patches or workarounds for affected JimuReport versions.