Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in yangzongzhuan RuoYi up to 4.8.2. This issue affects some unknown processing of the file /monitor/job/ of the component Quartz Job Handler. Such manipulation of the argument invokeTarget leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
A code injection vulnerability exists in yangzongzhuan RuoYi versions up to 4.8.2 within the Quartz Job Handler component, specifically in the /monitor/job/ endpoint where the invokeTarget parameter is improperly sanitized. An authenticated attacker with high privileges can remotely inject and execute arbitrary code on the affected system. A proof-of-concept has been publicly disclosed on GitHub (M0onc/RuoYi-Quartz-RCE), and the vendor has not responded to early disclosure notifications, increasing the real-world exploitation risk despite the moderate CVSS score of 4.7.
Technical ContextAI
The vulnerability resides in the Quartz Job Handler component of RuoYi, a Java-based rapid development framework. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating that user-controlled input from the invokeTarget parameter is not properly validated or escaped before being processed by the Quartz scheduling engine. The Quartz scheduler dynamically constructs and executes job invocations based on the invokeTarget value; when this value contains malicious payloads, it bypasses intended execution boundaries and allows arbitrary code execution. The affected component handles job monitoring and scheduling at the /monitor/job/ REST endpoint, which is part of the administrative interface.
RemediationAI
The primary remediation is to upgrade yangzongzhuan RuoYi to a version newer than 4.8.2 once patches become available. However, given the vendor's non-responsiveness, organizations should proactively implement network-level and application-level controls immediately: restrict access to the /monitor/job/ administrative endpoint to trusted IP ranges only, enforce strong authentication and multi-factor authentication for administrative users, implement Web Application Firewall (WAF) rules to detect and block malicious payloads in the invokeTarget parameter (specifically patterns containing code injection attempts), and conduct a security audit of all Quartz job configurations for suspicious or unexpected invokeTarget values. Until vendor patches are released, consider disabling or isolating the job monitoring functionality if operationally feasible. Monitor vendor repositories and security bulletins for eventual patch announcements.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14341
GHSA-g23v-6jmr-rc3m