JeecgBoot fixed/patched version: NONE AVAILABLE - CVE-2026-58377 status: Deferred (per NVD/cvefeed.io) - SecAlerts: "No Patch" listed for CVE-2026-58377 - Latest release tag: v3.9.2 (the vulnerable version itself) - master HEAD (32a8dfe) is byte-identical to v3.9.2 for the affected controllers Because there is no patch, the "fixed-version" test reduces to testing the latest release / default branch, which is identical to the vulnerable code. The variant (OpenApiLogController /openapi/record/* and OpenApiPermissionController /openapi/permission/*) is therefore confirmed on the LATEST available code, not merely an old version.