Description
A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File Upload Endpoint. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 4ae3f6b2c9883978837638c14e3d18419819eeb0. It is recommended to apply a patch to fix this issue. This product is published by multiple vendors.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A file upload handling routine in the ruoyi-vue‑pro project contains a path traversal flaw in the generateUploadPath method. An attacker can craft a request that includes directory traversal sequences, causing the application to write or overwrite files in arbitrary locations on the server. Because the upload endpoint is reachable from the internet, obtaining a privileged file write can lead to execution of malicious code, effectively allowing remote code execution.

Affected Systems

The vulnerability affects the ruoyi‑vue‑pro application maintained by YunaiV and zhijiantianya. Versions up to and including the 2026.04‑jdk8‑SNAPSHOT release are impacted. The flaw resides specifically in the AppFileController file upload endpoint implemented in FileServiceImpl.java.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability, but the public availability of an exploit and confirmation that remote exploitation is possible raise the practical risk significantly. With no EPSS data reported and no inclusion in the CISA KEV list, attackers can still target this flaw because it can be triggered via unauthenticated or minimal‑credential file upload requests. The likely attack vector is through the exposed upload API, where a malicious payload containing path traversal characters is supplied; the server then stores it in a chosen directory, potentially yielding arbitrary file overwrite or execution.

Generated by OpenCVE AI on June 29, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that replaced the generateUploadPath implementation (commit 4ae3f6b2c9883978837638c14e3d18419819eeb0).
  • Immediately disable or restrict access to the file upload endpoint until the patch is applied to prevent exploit attempts.
  • Verify that the application disallows directory traversal strings and restricts upload paths to a safe, predetermined directory; configure filesystem permissions to ensure uploads cannot overwrite critical system files.

Generated by OpenCVE AI on June 29, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File Upload Endpoint. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 4ae3f6b2c9883978837638c14e3d18419819eeb0. It is recommended to apply a patch to fix this issue. This product is published by multiple vendors.
Title YunaiV/zhijiantianya ruoyi-vue-pro AppFileController File Upload Endpoint FileServiceImpl.java generateUploadPath path traversal
First Time appeared Yunaiv
Yunaiv ruoyi-vue-pro
Zhijiantianya
Zhijiantianya ruoyi-vue-pro
Weaknesses CWE-22
CPEs cpe:2.3:a:yunaiv:ruoyi-vue-pro:*:*:*:*:*:*:*:*
cpe:2.3:a:zhijiantianya:ruoyi-vue-pro:*:*:*:*:*:*:*:*
Vendors & Products Yunaiv
Yunaiv ruoyi-vue-pro
Zhijiantianya
Zhijiantianya ruoyi-vue-pro
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yunaiv Ruoyi-vue-pro
Zhijiantianya Ruoyi-vue-pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T02:45:11.922Z

Reserved: 2026-06-28T07:56:37.348Z

Link: CVE-2026-13528

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T04:30:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')