Is there a public PoC exploit available for CVE-2025-14856?

Yes, a public proof-of-concept exploit is available for CVE-2025-14856. Prioritise patching immediately. EPSS: 0.1%.

RuoYi CVE-2025-14856

Q: What is the CVSS score of CVE-2025-14856?

CVE-2025-14856 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-12-18 cna@vuldb.com

Information Disclosure Ruoyi

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:48 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file /monitor/cache/getnames. Such manipulation of the argument fragment leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Code injection in RuoYi up to version 4.8.1 via the /monitor/cache/getnames endpoint allows authenticated remote attackers to inject arbitrary code through the fragment parameter with low impact to confidentiality, integrity, and availability. The vulnerability requires valid user authentication (PR:L per CVSS 4.0 vector) and has publicly available exploit code, though EPSS scoring at 0.08% percentile (22nd percentile) indicates low real-world exploitation probability despite public disclosure.

Technical ContextAI

RuoYi is a Java-based rapid development framework for administrative systems. The vulnerability resides in the /monitor/cache/getnames endpoint, which fails to properly validate or sanitize the fragment parameter before processing it, leading to code injection (CWE-74: Improper Neutralization of Special Elements used in an Output Command). The attack vector is network-based (AV:N) with low attack complexity (AC:L), meaning the exploitation requires no special network conditions. The CVSS 4.0 vector indicates PR:L (low privilege requirement), meaning the attacker must possess valid user credentials to trigger the vulnerability.

RemediationAI

Upgrade RuoYi to a version beyond 4.8.1 once available from the project maintainers. As no specific patched version is confirmed in the available data, check the RuoYi GitHub repository (y_project/RuoYi) for release notes or security advisories. As an immediate compensating control, restrict network access to the /monitor/cache endpoint to trusted administrative networks using a Web Application Firewall (WAF) or reverse proxy, blocking requests to /monitor/cache/* from untrusted sources. Additionally, enforce strict input validation on the fragment parameter by implementing a whitelist of allowed characters and rejecting any requests containing special characters or code-like syntax. These controls introduce minimal functional impact since the cache monitoring function is typically administrative-only, but verify that legitimate administrative workflows do not depend on passing complex values in the fragment parameter.

CVE-2025-14856 vulnerability details – vuln.today

Back