Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unrestricted file upload in RuoYi-Vue (versions 3.9.0-3.9.2) exposes the FileUploadUtils.upload function at the /common/upload endpoint to arbitrary file upload by authenticated remote attackers, potentially enabling server-side code execution if the uploaded file is accessible and executed by the web server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 Medium, reflecting low-privilege authentication as the primary barrier; no compensating controls enforce file-type validation at the endpoint. No public exploit code has been identified and no active exploitation is confirmed, though the vendor did not respond to responsible disclosure, leaving the fix status unresolved.
Technical ContextAI
RuoYi-Vue is a widely-used Chinese open-source enterprise rapid-development framework built on Spring Boot (backend) with a Vue.js frontend, commonly deployed in internal enterprise and government applications. The vulnerability resides in the FileUploadUtils.upload method, which handles file ingestion at the /common/upload HTTP endpoint. CWE-434 (Unrestricted Upload of File with Dangerous Type) identifies the root cause: the server-side handler fails to adequately restrict the types of files accepted, allowing an attacker to upload executable content (e.g., JSP webshells) alongside benign files. The affected CPE is cpe:2.3:a:yangzongzhuan:ruoyi-vue:*:*:*:*:*:*:*:*, covering all variants through version 3.9.2 as confirmed by EUVD data listing 3.9.0, 3.9.1, and 3.9.2 specifically.
RemediationAI
No vendor-released patch has been identified at time of analysis - the vendor did not respond to the responsible disclosure attempt, and no fixed version is confirmed in NVD, EUVD, or VulDB data. Organizations running RuoYi-Vue 3.9.0 through 3.9.2 should apply the following compensating controls: First, enforce server-side file type validation by configuring an allowlist of permitted extensions and MIME types in the application's upload configuration, rejecting any file types that can be executed by the web server (e.g., .jsp, .jspx, .war); this directly addresses CWE-434 but requires code-level changes. Second, store uploaded files outside the web root or in a dedicated directory that is not served as executable content by the application server, preventing direct execution even if a dangerous file is uploaded. Third, restrict access to the /common/upload endpoint via network-layer controls (firewall rules, reverse proxy ACLs) to only trusted internal IP ranges, reducing the network-reachable attack surface noted in AV:N. Monitor the RuoYi-Vue GitHub repository at https://github.com/yangzongzhuan/RuoYi-Vue for any upstream commits addressing this issue and apply patches promptly once available.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31585
GHSA-f863-6qfw-2v78