Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated upload endpoint, no interaction needed; all impact metrics Low as traversal enables bounded file read/write without full system compromise.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File Upload Endpoint. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 4ae3f6b2c9883978837638c14e3d18419819eeb0. It is recommended to apply a patch to fix this issue. This product is published by multiple vendors.
AnalysisAI
Path traversal in the ruoyi-vue-pro file upload endpoint exposes unauthenticated remote attackers to arbitrary file read and write operations via the generateUploadPath function in FileServiceImpl.java. All versions up to 2026.04-jdk8-SNAPSHOT are confirmed affected across both the YunaiV (GitHub) and zhijiantianya (Gitee) vendor distributions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special configuration is required - the CVSS 4.0 vector (AC:L/AT:N/PR:N/UI:N) confirms exploitation against default configurations of the ruoyi-vue-pro `AppFileController` file upload endpoint with no authentication and no user interaction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes a maximally accessible attack surface: network-reachable, low complexity, no authentication, no user interaction, no special attack requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP POST request to the `AppFileController` file upload endpoint, embedding path traversal sequences such as `../../sensitive/config` within the filename or path parameter. The `generateUploadPath` function processes this input without sanitization, resolving the traversal and either writing attacker-controlled content to an arbitrary filesystem location or enabling access to files outside the intended upload directory. … |
| Remediation | Apply the vendor-released patch commit `4ae3f6b2c9883978837638c14e3d18419819eeb0` available on Gitee at https://gitee.com/zhijiantianya/ruoyi-vue-pro/commit/4ae3f6b2c9883978837638c14e3d18419819eeb0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV
Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t
Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet all
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40025
GHSA-6q7h-qg7r-3g9c