761 matches found
CVE-2026-58176
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...
CVE-2026-58176
CVE-2026-58176 affects RuoYi-Vue-Plus up to version 5.6.2. The FlwTaskController’s /workflow/task endpoints lacked any class- or method-level authorization, leaving task management actions (updateAssignee, urging tasks, and listing with pageByAllTaskWait/pageByAllTaskFinish) gated only by global ...
CVE-2026-58176
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...
PT-2026-53926
Name of the Vulnerable Software and Affected Versions RuoYi-Vue-Plus versions prior to 5.6.3 Description The software exposes workflow task management endpoints under '/workflow/task' FlwTaskController without proper permission checks. Because the controller lacks class-level or method-level...
CVE-2026-57949
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this ...
CVE-2026-57950 ruoyi-vue-pro - Incorrect Permission Namespace in ErpSaleOrderController
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement...
CVE-2026-57949
ruoyi-vue-pro (through 2026.05) contains a missing authorization vulnerability in the CRM module’s GET /admin-api/crm/follow-up-record/get endpoint. The issue allows an authenticated user to read any follow-up record by iterating sequential numeric IDs, exfiltrating follow-up notes, file attachme...
CVE-2026-57949 ruoyi-vue-pro - Missing Authorization in CRM Follow-up Record GET Endpoint
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this ...
EUVD-2026-40025
A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File...
CVE-2026-13528 YunaiV/zhijiantianya ruoyi-vue-pro AppFileController File Upload Endpoint FileServiceImpl.java generateUploadPath path traversal
A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File...
CVE-2026-13528
CVE-2026-13528 affects YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The vulnerable element is the function generateUploadPath in FileServiceImpl.java under the AppFileController File Upload Endpoint. A manipulation can cause path traversal, enabling remote exploitation. The exp...
EUVD-2026-36758
RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information...
EUVD-2026-36750
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...
CVE-2026-38812
RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information...
CVE-2026-37216
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...
Exploit for CVE-2026-38812
text CVE ID CVE-2026-38812 PRODUC...
CVE-2026-38812
RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information...
CVE-2026-37216
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...
PT-2026-49290
Name of the Vulnerable Software and Affected Versions Ruoyi version 4.8.2 Description Cross Site Scripting XSS occurs at the '/system/notice/add' endpoint. XSS is a type of security flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. Recommendations At t...
CVE-2026-37216
CVE-2026-37216 affects Ruoyi 4.8.2 with a Cross Site Scripting (XSS) flaw at the interface /system/notice/add. Reported metrics indicate CVSS 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) base score 6.1 (Medium) and a potential impact on confidentiality and integrity (Low) with user interaction requi...