External risk intelligence

JimuReport Aviator Expression Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-36418

JimuReport's reporting API has a critical vulnerability allowing remote code execution due to improper handling of Aviator expressions. If reachable, an attacker could execute arbitrary code, potentially leading to system compromise. Confirming its use and exposure is crucial.

Code Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability resides in a reporting API endpoint (/jmreport/executeSelectApi) designed for web applications. Such reporting services and their associated API endpoints are commonly deployed as internet-facing components within web applications to facilitate user-accessible data visualization and report generation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in JimuReport software that could allow remote code execution. The issue stems from how the software processes certain expressions, potentially enabling unauthorized access and control if exploited. The primary concern is to confirm if this specific software is in use and exposed.

Critical flaw allows remote code execution.
Key concern is confirming if software is in use.
Assess exposure; focus on affected reporting systems.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to the `/jmreport/executeSelectApi` endpoint. This endpoint is exposed and does not properly validate user input before passing it to the Aviator expression engine. Successful exploitation allows an attacker to execute arbitrary code on the affected system, potentially leading to a complete system compromise.

No authentication or user interaction needed.
Input passed to expression engine is unchecked.
Arbitrary code execution is possible.

Live Threat

Current exploitation, exposure, and threat context

The JimuReport reporting API, specifically the `/jmreport/executeSelectApi` endpoint, is vulnerable to remote code execution. This vulnerability could allow an unauthenticated attacker to execute arbitrary code on the server when they provide specially crafted input to this API.

Server-side code execution.
Via unauthenticated API input.
Potential for unauthorized system control.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, affecting JimuReport's API endpoint, likely falls under the responsibility of the application or platform team that deploys and manages the reporting service. Their first practical step is to identify all instances of JimuReport, assess their network exposure and business criticality, and then determine the appropriate remediation plan based on risk.

Application owners must address the vulnerability.
Verify network exposure and business impact.
Plan remediation considering maintenance windows.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is JimuReport and why is it used?

JimuReport is a reporting tool or component often integrated into web applications to handle data visualization and document generation. Organizations use it to simplify the creation of complex reports, allowing developers to embed analytical dashboards directly into their software platforms for end-users to interact with data.

What does CVE-2026-36418 mean in plain English?

This vulnerability is classified as Improper Control of Generation of Code (CWE-94). It means the software fails to properly sanitize user input before passing it to the Aviator expression engine. Because the engine interprets this input as executable instructions, an attacker can provide specially crafted expressions to run arbitrary commands on the underlying server.

How can an attacker trigger this vulnerability?

An attacker triggers the bug by sending a crafted request to the specific '/jmreport/executeSelectApi' endpoint. The flaw is triggered solely by the submission of malicious input to this API. It is important to note that the vulnerability does not require any prior authentication or special user interaction to initiate the unauthorized code execution process.

Is my system at risk if it uses JimuReport?

Risk depends on your deployment. Halo Surface Signal identifies this reporting API as commonly internet-facing to support public-facing data visualization. If your instance is reachable from the internet, it is at higher risk. Systems tucked behind internal networks may have reduced reachability, but any exposed endpoint using this specific API remains a concern for unauthorized server control.

What should I do first to manage this threat?

Your first step is to perform an inventory to locate all active instances of JimuReport within your environment. Once identified, evaluate the network placement of these reporting services to determine if they are exposed to untrusted traffic. Use this information to prioritize which systems need immediate attention and coordinate with your application teams to plan necessary updates or security configuration changes.

References

github.com/Catherines77/code-au/blob/main/jimureport/aviator.md

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.