Ctrl + K
/ news / CVE
CVEPublished 2025-08-21Modified 2025-09-110 articles on news6 live referencesNVD data

CVE-2025-9264Xuxueli · Xxl-job

Vulnerability data via NVD (ingested)

CVSS v3.1
5.4
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
EPSS percentile
18
Exploit Prediction Scoring System · top 82% of all CVEs
Weaknesses (CWE)
CWE-99Improper Control of Resource Identifiers ('Resource Injection')CWE-639Authorization Bypass Through User-Controlled Key
Description

A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

Timeline
Published 2025-08-21
Modified 2025-09-11

External references

NVDMITREExploit-DBSploitustrickest/cveVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2025-9264
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Xuxueli Xxl-job"
All exposed Xuxueli Xxl-job instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Xxl-job"
HTTP body or banner mentions "Xxl-job" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2025-9264
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2025-9264
Censys host search filtered to this CVE id.
grep.app
CVE-2025-9264
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2025-9264
GitHub code search for direct mentions.
Google dork
"CVE-2025-9264" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2025-92648 repos
lintsinghua/DeepAuditPython
DeepAudit:人人拥有的 AI 黑客战队,让漏洞挖掘触手可及。国内首个开源的代码漏洞挖掘多智能体系统。小白一键部署运行,自主协作审计 + 自动化沙箱 PoC 验证。支持 Ollama 私有部署 ,一键生成报告。支持中转站。​让安全不再昂贵,让审计不再复杂。
★ 6,312·updated 2mo ago
Threekiii/Awesome-POCJava
一个漏洞 PoC 知识库。A knowledge base for vulnerability PoCs(Proof of Concept), with 1k+ vulnerabilities.
★ 5,016·updated 4w ago
eeeeeeeeee-code/POCunknown
备份的漏洞库,3月开始我们来维护
★ 2,013·updated 2mo ago
adysec/POCunknown
wy876 POC | wy876的poc仓库已删库,该项目为其仓库镜像
★ 435·updated 1y ago
mudongliang/LinuxFlawC
The vm images in this repo are lost, we recommend our new project: https://github.com/hust-open-atom-club/S2VulnHub
★ 334·updated 1y ago
Zierax/Grafana-Final-ScannerPython
Grafana scanner with all public CVEs that I collected in one script to make grafana testing easier
★ 229·updated 1w ago
DMW11525708/wikiunknown
漏洞文库 wiki.wy876.cn
★ 101·updated 1y ago
maxgfr/awesome-starsunknown
List of repositories that I liked on Github
★ 22·updated 4d ago
We haven't classified any articles referencing CVE-2025-9264 yet. The external references above still apply.