Security Vulnerability Statement

2025-10-20

Added the Export/Excel API-based SQL injection vulnerability.

2025-06-19

Added the security vulnerability in Kafka Clients.

2025-03-31

Added the arbitrary file read vulnerability for regular users.

Added the HSQL command execution vulnerability.

Added the arbitrary file read vulnerability via the MySQL JDBC driver.

2024-11-01

Added the /print/ie/pdf API-based SQL injection vulnerability.

2024-09-13

Added the common weak password vulnerability.

2024-08-15

Added the remote command execution vulnerability for authorized users.

2024-05-08

Added description for vulnerability fixes from August 2023 to present.

2023-08-14

Added description for preventing potential new 0-day vulnerabilities.

2023-08-11

Added description for the rumored 0-day vulnerability in the channel API on 2023-08-11.

2023-08-09

Added description for FanRuan deserialization vulnerability bypass.

Added description for the high-risk deserialization-based command execution vulnerability.

2023-08-08

Added description for vulnerabilities in 2023.

Must-Read

Potential new 0-day vulnerability

/

To prevent potential new 0-day vulnerabilities, you can configure your application based on the following references.

1. Reference: Product Security Hardening Guide

• Upgrade the FanRuan application to the latest version.

• Complete all other security configurations.

2. Reference: Restricting Projects from Being Accessed by IP Address

You are advised to prioritize solution one, which disables certain APIs related to remote design, SSO, and the old engine.

Alternatively, you can restrict the IP addresses allowed to access the project based on solutions two or three.

2025

Export/Excel API-based SQL injection vulnerability

Affected versions:

FineReport V11.5.4 and earlier versions (released on or before 2025-09-29)

FineBI V7.0.4 and earlier versions (released on or before 2025-09-12)

FineBI V6.1.7.3 and earlier versions (released on or before 2025-09-29)

FineBI V6.0.23.2 and earlier versions (released on or before 2025-09-26)

FineDataLink V5.0.4.2 and earlier versions (released on or before 2025-10-16)

FineDataLink V4.2.11.2 and earlier versions (released on or before 2025-10-16)

Vulnerability description: If the project includes the SQLite driver and uses a SQLite data connection, it becomes susceptible to the Export/Excel API-based SQL injection vulnerability.

You are advised to fix the vulnerability by upgrading the project.

1. Enable Template Authentication (enabled by default).

2. Upgrade the project to the following versions. You can refer to Product Security Hardening Guide or contact technical support to obtain the JAR files.

FineReport V11.5.4 and later versions (released on 2025-10-20; ensure the JAR file date meets the requirement.)

FineBI V7.0.5 and later versions (released on or after 2025-11-07)

FineBI V6.1.8 and later versions (released on or after 2025-10-21)

FineBI V7.0.5 and later versions (released on or after 2025-10-20)

FineBI V6.0.24 and later versions (released on or after 2025-10-20)

FineDataLink V4.2.11.3 and later versions (released on or after 2025-10-23)

If you cannot upgrade the project, use the following workaround.

• For non-FineOps deployed projects:

1. Enable Template Authentication (enabled by default).

2. Delete SQLite-related drivers.

Navigate to the standalone project node or the cluster project node, enter the lib directory in the path /webroot/WEB-INF, delete SQLite-related drivers, and restart the project for the changes to take effect.

• For projects deployed via FineOps, or for projects that cannot have the drivers deleted and the project restarted:

1. Enable Template Authentication (enabled by default).

2. Delete SQLite-related data connections.

Log in to the FanRuan application as the admin, choose System Management > Data Connection > Data Connection Management, delete self-created SQLite data connections and built-in SQLite data connections: FRDemo and BI Demo. No project restart is required for changes to take effect.

Note: 

Deleting SQLite drivers or SQLite data connections will prevent templates that use SQLite data connections from being previewed normally.

Security vulnerability in Kafka Clients

FineDataLink V4.2.7.1 and earlier versions

Upgrade the FineDataLink project to V4.2.7.3 or a later version. You can refer to Product Security Hardening Guide or contact technical support to obtain the JAR files.

Arbitrary file read vulnerability for regular users

Affected versions: FineReport V11.0.32 and earlier versions, FineBI V6.0.21 and earlier versions, FineBI V6.1.5 and earlier versions

Vulnerability description: Any project user can access server files by sending specially crafted requests.

Upgrade the project to the following versions. You can refer to Product Security Hardening Guide or contact technical support to obtain the JAR files.

FineReport V11.0.33 and later versions (released on or after 2025-03-31)

FineBI V6.0.22 and later versions (released on or after 2025-04-17)

FineBI V6.1.6 and later versions (released on or after 2025-04-30)

HSQL command execution vulnerability

Affected versions: FineReport V11.0.32 and earlier versions, FineBI V6.0.21 and earlier versions, FineBI V6.1.5 and earlier versions

Vulnerability description: Users with remote design permissions can execute commands by sending specially crafted remote design deserialization requests.

You are advised to fix the vulnerability by upgrading the project.

Upgrade the project to the following versions. You can refer to Product Security Hardening Guide or contact technical support to obtain the JAR files.

FineReport V11.0.33 and later versions (released on or after 2025-03-31)

FineBI V6.0.22 and later versions (released on or after 2025-04-17)

FineBI V6.1.6 and later versions (released on or after 2025-04-30)

If you cannot upgrade the project, use the following workaround.

You can disable the channel API for remote design based on solution one in Restricting Projects from Being Accessed by IP Address.

The rules for this vulnerability are: rule=/remote/design/channel and rule0=/remote/design/channel.

If you do not want to disable APIs related to SSO and the old engine, delete relevant rules.

Arbitrary file read vulnerability via the MySQL JDBC driver

Affected versions: FineReport V11.0.32 and earlier versions, FineBI V6.0.21 and earlier versions, FineBI V6.1.5 and earlier versions, and FineDataLink V4.2.2.3 and earlier versions.

Vulnerability description: If the project includes the MySQL driver, users withediting permissions on the data connection can read arbitrary files via the MySQL JDBC driver.

You are advised to fix the vulnerability by upgrading the project.

Upgrade the project to the following versions. You can refer to Product Security Hardening Guide or contact technical support to obtain the JAR files.

FineReport V11.0.33 and later versions (released on or after 2025-03-31)

FineBI V6.0.22 and later versions (released on or after 2025-04-17)

FineBI V6.1.6 and later versions (released on or after 2025-04-30)

FineDataLink V4.2.2.4 and later versions (released on or after 2025-01-23)

If you cannot upgrade the project, use the following workaround.

• First, ensure the project does not use a MySQL external configuration database. If such a database is in use, migrate the configuration database; otherwise, the project cannot be used after the drivers are deleted.

• Next, ensure that the project does not use MySQL data connections. If such databases are in use, migrate the data and reconfigure the connections to use other databases. (Names for the original data connections can be retained.) Otherwise, Data retrieval will fail after the drivers are deleted.

• Navigate to the standalone project node or the cluster project node, enter the lib directory in the path /webroot/WEB-INF, and delete MySQL-related drivers.

2024

FineReport V11 frontend remote code execution (RCE) caused by /print/ie/pdf API-based SQL injection vulnerability

FineReport V11.0.29 and earlier versions, FineBI V6.0.20 and earlier versions, FineBI V6.1.3 and earlier versions

Upgrade the project to the following versions. You can refer to Product Security Hardening Guide or contact technical support to obtain the JAR files.

FineReport V11.0.30 and later versions (released on or after 2024-11-01)

FineBI V6.0.21 and later versions (released on or after 2024-11-26)

FineBI V6.1.4 and later versions (released on or after 2024-12-17)

Common weak password vulnerability

CNVD-2024-37222

Non-FineOps deployed projects:

Delete the default built-in test users under System Management > User Management on the decision-making platform.

If you need to retain these built-in users, manually reset their passwords.

User list: Abby, Alice, Ben, Billy, Cherry, demo, eoco, hanwen, Jack, Jenny, Lisa, Mike, sunlin, wangwei, and zhangshan

Remote command execution vulnerability for authorized users

CNVD-2024-45455

Projects with the FineVis Data Visualization plugin of V2.6.1 to V2.9.0.4 installed

Upgrade the FineVis Data Visualization plugin to V 2.9.11 (released on 2025-08-30) or a later version. For details, see Server Plugin Management.

FVS directory traversal vulnerability

Projects with the FineVis Data Visualization plugin of V2.7.1 to V2.9.0.2 installed

Upgrade the FineVis Data Visualization plugin to V 2.9.11 (released on 2025-08-30) or a later version. For details, see Server Plugin Management.

Multiple medium-risk vulnerabilities in FVS

Projects with the FineVis Data Visualization plugin of V2.6.1 to V2.9.0.1 installed

For FineReport and FineBI projects released on or after 2024-07-23

Upgrade the FineVis Data Visualization plugin to V 2.9.11 (released on 2025-08-30) or a later version. For details, see Server Plugin Management.

For FineReport and FineBI projects released on or before 2024-07-23

Upgrade FineReport or FineBI projects to versions released on or after 2024-07-23. For details, see Product Security Hardening Guide.

Upgrade the FineVis Data Visualization plugin to V 2.9.11 (released on 2025-08-30) or a later version. For details, see Server Plugin Management.

/view/ReportServer command execution (SQL injection) vulnerability

Alias:

report-engine unauthorized remote code execution

CNVD-2024-30560

CNVD-2024-33679

CNVD-2024-36533

1. FineReport V11.x and V10.x with JAR files dated before 2024-07-23

2. All versions of FineBI deployed via FineOps or Tomcat deployment packages with JAR files dated before 2024-07-23

3. All versions of FineDataLink with JAR files dated before 2024-07-23

You are advised to fix the vulnerability by upgrading the project.

Upgrade the project to versions released on or after 2024-07-23. You can refer to Product Security Hardening Guide or contact technical support to obtain the JAR files.

Note that for projects integrating FineReport and FineBI, upgrading FineBI according to the relevant documents will suffice. Since the JAR files of FineBI include those related to FineReport, a separate FineReport upgrade is not required.

If you cannot upgrade the project, complete the following two steps:

1. Disable the old engine API based on solution one in Restricting Projects from Being Accessed by IP Address.

The rules for this vulnerability are: rule3=/view/ReportServer and rule4=/view/ReportServer/

If you do not want to disable APIs related to remote design and SSO, delete relevant rules.

2. Delete sqlite-jdbc-xxx.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (After deletion, SQLite data connections will be unavailable.)

Restart the project after deleting the driver for the changes to take effect.

For FineReport projects deployed via FineOps, the method for deleting drivers differs slightly from that for traditional deployment. 

1. Regular users executing commands via the channel API after authentication.

2. Regular users downloading arbitrary files after authentication.

3. Admins performing command injection after login.

FineReport, FineBI, and FineDataLink with JAR files dated before 2024-04

1. Upgrade the project to versions released in or after 2024-05. You can refer to Product Security Hardening Guide or contact technical support to obtain the JAR files.

2. If you cannot upgrade the project, configure  it according to Restricting Projects from Being Accessed by IP Address.

2023

Rumored 0-day vulnerability in the channel API on 2023-08-11

As of 2023-08-12 10:30, FanRuan has not been notified of any 0-day vulnerability. The authenticity of the claim is questionable.

Historical issues with the channel API of FanRuan products were fixed in versions released on 2023-07-21. If you are still concerned about potential new issues, refer to the prevention plan in Restricting Projects from Being Accessed by IP Address.

FanRuan deserialization vulnerability bypass

FineReport V10, FineReport V11, FineBI V6.0, and FineBI V5.x series with JAR files dated before 2023-07

1. Upgrade the project to versions released on or after 2023-07-21. You can obtain the product from the official website or through FanRuan technical support.

2. If you cannot upgrade the project, configure  it according to Restricting Projects from Being Accessed by IP Address.

High-risk vulnerabilities

Command injection

Malicious script upload

Remote code execution

Deserialization-based command execution

Low- and medium-risk vulnerabilities

Privilege escalation

Third-party component upgrade

FineReport V10, FineReport V11, FineBI V6.0, and FineBI V5.x series with JAR files dated before 2023-07

1. Upgrade the project to versions released on or after 2023-07-21. You can contact FanRuan technical support to obtain the product.

2. Perform security hardening on projects according to Product Security Hardening Guide.

2022 and Earlier

Deserialization vulnerability

Keywords: remote design, channel API, and 0v8s9ouoyo.jar

FineReport V10.0/11.0 and FineBI V5.1 series with JAR files dated before 2022-08-12

You can restrict the IP addresses allowed to access the project through a proxy server or the firewall:

webroot/decision/remote/design/channel.(After restriction, remote design is only allowed for users from trusted IP addresses; template viewing remains unaffected.)

Remote code execution vulnerability

Description: The configuration database is modified, and driver management is used to execute malicious code.

FineReport V11.0 and FineBI V5.1.19 and later versions.

Restore the driver management configuration to the default disabled state and increase the strength of the admin account password, as super admin permissions are required to perform this operation.

Arbitrary code execution vulnerability (or rumored frontend arbitrary code execution)

Keyword: J2V8 engine

FanRuan application with JAR files dated before 2022-08-12

/

Deserialization vulnerability/Command injection vulnerability

Malicious plugin: Timo Test Plugin

plugin-com.fr.plugin.function.timo

The vulnerability occurs when the malicious plugin has been uploaded. Check whether there are unknown plugins in the plugin list.

Check the plugin list.

Deserialization vulnerability

Fastjson deserialization vulnerability: CNVD-2022-40233

The product itself is not affected, but the following plugin is affected if its JAR file is dated before 2022-06-13:

Lark Management

Upgrade the plugin.

Getshell vulnerability by file write

Keyword: SQLite

FanRuan application with JAR files dated before 2022-07-04 are affected. The operation requires super admin permissions.

Delete files starting with sqlite from FineReport installation directory/webapps/webroot/WEB-INF/lib. (After deletion, SQLite data connections will be unavailable, including FRDemo.)

Authentication vulnerability

Emergency Announcement for Mobile Terminals on 2022-06-29

High-risk vulnerabilities exist in the following plugins:

HTML5 Mobile Display

Lark Management

Upgrade the plugin.

Remote formula execution vulnerability

Description: FineReport formulas are invoked remotely, which bypasses the script call restrictions configured in security management.

 FineReport with JAR files dated between 2022-02-28 and 2022-07-15

FineBI with JAR files dated between 2022-03-01 and 2022-07-15 (not compatible with FineReport V10)

No temporary workaround is provided. The impact is limited, and upgrade issues generally do not occur.

Apache Log4j2 security vulnerability

CVE-2021-44228, a remote code execution vulnerability affecting Log4j2 versions, does not affect FineReport and FineBI as they were still using log4j 1.2.17 at the time of the announcement.

log4j 1.2.17 is not affected by related vulnerabilities. Additionally, the vulnerable class files were removed from FanRuan applications released after 2022-02-17.

The products are not affected.

FineReport V10.0 uses log4j 1.2.17.

For FineReport V11.0.2 (released on 2022-01-11), log4j has been upgraded to V2.17.1.

For FineReport V11.0.7 (released on 2022-08-03), log4j has been upgraded to V2.18.0.

Upgrade the following plugins:

Elasticsearch Dataset of V2.0.5 and later versions

Elasticsearch Dataset (Delight Edition) of V1.4.4 and later versions

File Upload and Download (Delight Edition) of V16.2 and later versions