xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter

GHSA-gjx6-h8hm-c9rq · CVE-2025-9264

Published Aug 21, 2025 · Modified May 7, 2026

Description

A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-9264
WEB https://github.com/xuxueli/xxl-job/issues/3773
WEB https://github.com/xuxueli/xxl-job/issues/3773#issue-3308389841
PACKAGE https://github.com/xuxueli/xxl-job
WEB https://vuldb.com/?ctiid.320806
WEB https://vuldb.com/?id.320806
WEB https://vuldb.com/?submit.631728

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes