CVE-2025-60801

Severity CVSS v4.0:

Pending analysis

Type:

CWE-77 Command Injection

Publication date:

24/10/2025

Last modified:

05/11/2025

Description

jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS v3.1 Severity and Metrics:

Base Score: 8.20 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): High
Availability (A): None

Base Score 3.x

8.20

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:jishenghua:jsherp::::::::		2025-08-14 (excluding)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://fushuling.com/index.php/2025/08/17/%e7%bb%95%e8%bf%87%e8%a1%a5%e4%b8%81%ef%bc%8c%e5%86%8d%e6%ac%a1%e5%ae%9e%e7%8e%b0%e5%8d%8e%e5%a4%8ferp%e6%9c%aa%e6%8e%88%e6%9d%83rce%e5%b7%b2%e4%bf%ae%e5%a4%8d/
https://github.com/jishenghua/jshERP/issues/132