Lucene search
K

761 matches found

NVD
NVD
added 2026/06/30 5:16 p.m.11 views

CVE-2026-58176

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...

7.1CVSS0.00264EPSS
Exploits0References3
CVE
CVE
added 2026/06/30 3:56 p.m.15 views

CVE-2026-58176

CVE-2026-58176 affects RuoYi-Vue-Plus up to version 5.6.2. The FlwTaskController’s /workflow/task endpoints lacked any class- or method-level authorization, leaving task management actions (updateAssignee, urging tasks, and listing with pageByAllTaskWait/pageByAllTaskFinish) gated only by global ...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/30 3:56 p.m.7 views

CVE-2026-58176

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-53926

Name of the Vulnerable Software and Affected Versions RuoYi-Vue-Plus versions prior to 5.6.3 Description The software exposes workflow task management endpoints under '/workflow/task' FlwTaskController without proper permission checks. Because the controller lacks class-level or method-level...

7.1CVSS6AI score0.00264EPSS
Exploits0References8
NVD
NVD
added 2026/06/29 6:16 p.m.8 views

CVE-2026-57949

ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this ...

7.1CVSS0.00231EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/29 5:20 p.m.34 views

CVE-2026-57950 ruoyi-vue-pro - Incorrect Permission Namespace in ErpSaleOrderController

ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement...

8.6CVSS0.00294EPSS
Exploits0References3
CVE
CVE
added 2026/06/29 5:19 p.m.15 views

CVE-2026-57949

ruoyi-vue-pro (through 2026.05) contains a missing authorization vulnerability in the CRM module’s GET /admin-api/crm/follow-up-record/get endpoint. The issue allows an authenticated user to read any follow-up record by iterating sequential numeric IDs, exfiltrating follow-up notes, file attachme...

7.1CVSS5.9AI score0.00231EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/29 5:19 p.m.9 views

CVE-2026-57949 ruoyi-vue-pro - Missing Authorization in CRM Follow-up Record GET Endpoint

ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this ...

7.1CVSS5.9AI score0.00231EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/29 2:45 a.m.9 views

EUVD-2026-40025

A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File...

7.5CVSS6.5AI score0.00447EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/29 2:45 a.m.34 views

CVE-2026-13528 YunaiV/zhijiantianya ruoyi-vue-pro AppFileController File Upload Endpoint FileServiceImpl.java generateUploadPath path traversal

A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File...

7.5CVSS0.00447EPSS
Exploits0References8
CVE
CVE
added 2026/06/29 2:45 a.m.17 views

CVE-2026-13528

CVE-2026-13528 affects YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The vulnerable element is the function generateUploadPath in FileServiceImpl.java under the AppFileController File Upload Endpoint. A manipulation can cause path traversal, enabling remote exploitation. The exp...

7.5CVSS6.5AI score0.00447EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/15 9:30 p.m.18 views

EUVD-2026-36758

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information...

5.8AI score0.00393EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/15 9:30 p.m.11 views

EUVD-2026-36750

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...

5.1AI score0.00181EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 8:16 p.m.13 views

CVE-2026-38812

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information...

9.8CVSS0.00393EPSS
Exploits1References1
NVD
NVD
added 2026/06/15 8:16 p.m.11 views

CVE-2026-37216

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...

6.1CVSS0.00181EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/06/15 1:53 a.m.96 views

Exploit for CVE-2026-38812

text CVE ID CVE-2026-38812 PRODUC...

5.9AI score0.00393EPSS
Exploits1
Cvelist
Cvelist
added 2026/06/15 12:0 a.m.36 views

CVE-2026-38812

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information...

0.00393EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/15 12:0 a.m.35 views

CVE-2026-37216

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...

0.00181EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.25 views

PT-2026-49290

Name of the Vulnerable Software and Affected Versions Ruoyi version 4.8.2 Description Cross Site Scripting XSS occurs at the '/system/notice/add' endpoint. XSS is a type of security flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. Recommendations At t...

6.1CVSS5.8AI score0.00181EPSS
Exploits0References4
CVE
CVE
added 2026/06/15 12:0 a.m.20 views

CVE-2026-37216

CVE-2026-37216 affects Ruoyi 4.8.2 with a Cross Site Scripting (XSS) flaw at the interface /system/notice/add. Reported metrics indicate CVSS 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) base score 6.1 (Medium) and a potential impact on confidentiality and integrity (Low) with user interaction requi...

6.1CVSS5.2AI score0.00181EPSS
Exploits0References1
Rows per page
Query Builder