Skip to main content

Ruoyi Vue

2 CVEs product

Monthly

CVE-2026-9374 MEDIUM This Month

Unrestricted file upload in RuoYi-Vue (versions 3.9.0-3.9.2) exposes the FileUploadUtils.upload function at the /common/upload endpoint to arbitrary file upload by authenticated remote attackers, potentially enabling server-side code execution if the uploaded file is accessible and executed by the web server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 Medium, reflecting low-privilege authentication as the primary barrier; no compensating controls enforce file-type validation at the endpoint. No public exploit code has been identified and no active exploitation is confirmed, though the vendor did not respond to responsible disclosure, leaving the fix status unresolved.

File Upload Ruoyi Vue
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-4537 LOW Monitor

A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Ruoyi Vue
NVD VulDB
CVSS 4.0
2.3
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unrestricted file upload in RuoYi-Vue (versions 3.9.0-3.9.2) exposes the FileUploadUtils.upload function at the /common/upload endpoint to arbitrary file upload by authenticated remote attackers, potentially enabling server-side code execution if the uploaded file is accessible and executed by the web server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 Medium, reflecting low-privilege authentication as the primary barrier; no compensating controls enforce file-type validation at the endpoint. No public exploit code has been identified and no active exploitation is confirmed, though the vendor did not respond to responsible disclosure, leaving the fix status unresolved.

File Upload Ruoyi Vue
NVD VulDB
EPSS 0% CVSS 2.3
LOW Monitor

A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Ruoyi Vue
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy