Skip to main content

EUVDEUVD-2026-14341

| CVE-2026-4564 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-23 cna@vuldb.com GHSA-g23v-6jmr-rc3m
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.1 (MEDIUM) 2.0 (LOW)
CVSS changed
Apr 24, 2026 - 16:37 NVD
4.7 (MEDIUM) 5.1 (MEDIUM)
EUVD ID Assigned
Mar 23, 2026 - 00:22 euvd
EUVD-2026-14341
Analysis Generated
Mar 23, 2026 - 00:22 vuln.today
CVE Published
Mar 23, 2026 - 00:16 nvd
MEDIUM 4.7

DescriptionCVE.org

A security vulnerability has been detected in yangzongzhuan RuoYi up to 4.8.2. This issue affects some unknown processing of the file /monitor/job/ of the component Quartz Job Handler. Such manipulation of the argument invokeTarget leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

A code injection vulnerability exists in yangzongzhuan RuoYi versions up to 4.8.2 within the Quartz Job Handler component, specifically in the /monitor/job/ endpoint where the invokeTarget parameter is improperly sanitized. An authenticated attacker with high privileges can remotely inject and execute arbitrary code on the affected system. A proof-of-concept has been publicly disclosed on GitHub (M0onc/RuoYi-Quartz-RCE), and the vendor has not responded to early disclosure notifications, increasing the real-world exploitation risk despite the moderate CVSS score of 4.7.

Technical ContextAI

The vulnerability resides in the Quartz Job Handler component of RuoYi, a Java-based rapid development framework. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating that user-controlled input from the invokeTarget parameter is not properly validated or escaped before being processed by the Quartz scheduling engine. The Quartz scheduler dynamically constructs and executes job invocations based on the invokeTarget value; when this value contains malicious payloads, it bypasses intended execution boundaries and allows arbitrary code execution. The affected component handles job monitoring and scheduling at the /monitor/job/ REST endpoint, which is part of the administrative interface.

RemediationAI

The primary remediation is to upgrade yangzongzhuan RuoYi to a version newer than 4.8.2 once patches become available. However, given the vendor's non-responsiveness, organizations should proactively implement network-level and application-level controls immediately: restrict access to the /monitor/job/ administrative endpoint to trusted IP ranges only, enforce strong authentication and multi-factor authentication for administrative users, implement Web Application Firewall (WAF) rules to detect and block malicious payloads in the invokeTarget parameter (specifically patterns containing code injection attempts), and conduct a security audit of all Quartz job configurations for suspicious or unexpected invokeTarget values. Until vendor patches are released, consider disabling or isolating the job monitoring functionality if operationally feasible. Monitor vendor repositories and security bulletins for eventual patch announcements.

Share

EUVD-2026-14341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy