Skip to main content

RuoYi-Vue EUVDEUVD-2026-31585

| CVE-2026-9374 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-24 VulDB GHSA-f863-6qfw-2v78
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:40 vuln.today
CVSS changed
May 26, 2026 - 20:07 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unrestricted file upload in RuoYi-Vue (versions 3.9.0-3.9.2) exposes the FileUploadUtils.upload function at the /common/upload endpoint to arbitrary file upload by authenticated remote attackers, potentially enabling server-side code execution if the uploaded file is accessible and executed by the web server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 Medium, reflecting low-privilege authentication as the primary barrier; no compensating controls enforce file-type validation at the endpoint. No public exploit code has been identified and no active exploitation is confirmed, though the vendor did not respond to responsible disclosure, leaving the fix status unresolved.

Technical ContextAI

RuoYi-Vue is a widely-used Chinese open-source enterprise rapid-development framework built on Spring Boot (backend) with a Vue.js frontend, commonly deployed in internal enterprise and government applications. The vulnerability resides in the FileUploadUtils.upload method, which handles file ingestion at the /common/upload HTTP endpoint. CWE-434 (Unrestricted Upload of File with Dangerous Type) identifies the root cause: the server-side handler fails to adequately restrict the types of files accepted, allowing an attacker to upload executable content (e.g., JSP webshells) alongside benign files. The affected CPE is cpe:2.3:a:yangzongzhuan:ruoyi-vue:*:*:*:*:*:*:*:*, covering all variants through version 3.9.2 as confirmed by EUVD data listing 3.9.0, 3.9.1, and 3.9.2 specifically.

RemediationAI

No vendor-released patch has been identified at time of analysis - the vendor did not respond to the responsible disclosure attempt, and no fixed version is confirmed in NVD, EUVD, or VulDB data. Organizations running RuoYi-Vue 3.9.0 through 3.9.2 should apply the following compensating controls: First, enforce server-side file type validation by configuring an allowlist of permitted extensions and MIME types in the application's upload configuration, rejecting any file types that can be executed by the web server (e.g., .jsp, .jspx, .war); this directly addresses CWE-434 but requires code-level changes. Second, store uploaded files outside the web root or in a dedicated directory that is not served as executable content by the application server, preventing direct execution even if a dangerous file is uploaded. Third, restrict access to the /common/upload endpoint via network-layer controls (firewall rules, reverse proxy ACLs) to only trusted internal IP ranges, reducing the network-reachable attack surface noted in AV:N. Monitor the RuoYi-Vue GitHub repository at https://github.com/yangzongzhuan/RuoYi-Vue for any upstream commits addressing this issue and apply patches promptly once available.

Share

EUVD-2026-31585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy