CVE-2026-9464

CVE-2026-9464 affects YunaiV yudao-cloud 2026.03, specifically the Admin API Endpoint’s /admin-api/iot/data-sink/create IotDataSinkHttpConfig. The vulnerability is server-side request forgery (SSRF) with network-based attack vector and low confidentiality/integrity/availability impact (per CVSS m...

CVE-2026-7679

A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication...

CVE-2026-7678

CVE-2026-7678 affects YunaiV yudao-cloud (up to 2026.01). The vulnerability is in GoViewDataServiceImpl.java (yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java) where user-controlled input can influence SQL execution, resulting in SQL injection ....

CVE-2026-5148

A weakness has been identified in YunaiV yudao-cloud up to 2026.01. This vulnerability affects unknown code of the file /admin-api/system/mail-log/page. This manipulation of the argument toMail causes sql injection. The attack can be initiated remotely. The exploit has been made available to the...

CVE-2026-5147

A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This affects an unknown part of the file /admin-api/system/tenant/get-by-website. The manipulation of the argument Website results in sql injection. It is possible to launch the attack remotely. The exploit has been released...

CVE-2025-10275 YunaiV yudao-cloud transfer improper authorization

A weakness has been identified in YunaiV yudao-cloud up to 2025.09. This affects an unknown part of the file /crm/business/transfer. Executing manipulation of the argument ids/newOwnerUserId can lead to improper authorization. The attack may be launched remotely. The exploit has been made availab...