Yudao Cloud
Monthly
Server-side request forgery in YunaiV yudao-cloud 2026.03 allows authenticated administrators to force the server to issue arbitrary HTTP requests via the IoT data sink creation endpoint. The vulnerability exists in the IotDataSinkHttpConfig function exposed at /admin-api/iot/data-sink/create, where attacker-controlled URL parameters are passed to an outbound HTTP client without adequate validation. A proof-of-concept exploit has been publicly disclosed on GitHub; however, the CVSS 4.0 base score of 2.0 and a 0.03% EPSS probability reflect the significant limiting factor of requiring high-privilege authentication, and no KEV listing indicates no confirmed active exploitation at time of analysis.
Remote SQL injection in YunaiV yudao-cloud up to version 2026.01 allows unauthenticated attackers to execute arbitrary SQL queries via the Website parameter in the /admin-api/system/tenant/get-by-website endpoint. The vulnerability has a CVSS score of 6.9 with public exploit code available, enabling remote compromise of database confidentiality and integrity without authentication or user interaction. The vendor has not responded to early disclosure notification.
Server-side request forgery in YunaiV yudao-cloud 2026.03 allows authenticated administrators to force the server to issue arbitrary HTTP requests via the IoT data sink creation endpoint. The vulnerability exists in the IotDataSinkHttpConfig function exposed at /admin-api/iot/data-sink/create, where attacker-controlled URL parameters are passed to an outbound HTTP client without adequate validation. A proof-of-concept exploit has been publicly disclosed on GitHub; however, the CVSS 4.0 base score of 2.0 and a 0.03% EPSS probability reflect the significant limiting factor of requiring high-privilege authentication, and no KEV listing indicates no confirmed active exploitation at time of analysis.
Remote SQL injection in YunaiV yudao-cloud up to version 2026.01 allows unauthenticated attackers to execute arbitrary SQL queries via the Website parameter in the /admin-api/system/tenant/get-by-website endpoint. The vulnerability has a CVSS score of 6.9 with public exploit code available, enabling remote compromise of database confidentiality and integrity without authentication or user interaction. The vendor has not responded to early disclosure notification.