An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.
https://gitee.com/jishenghua/JSH_ERP
https://gist.github.com/Paxsizy/a40334ffa7f05c42bf0348833f830108