Description
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
Published: 2026-06-15
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Scripting flaw (CWE‑79) located at the /system/notice/add interface of Ruoyi 4.8.2. An attacker can submit malicious input that contains JavaScript, which the application stores or reflects without proper escaping. When an end‑user views the affected notice, the injected scripts run in the user’s browser, allowing client‑side attacks such as session theft or credential compromise.

Affected Systems

Ruoyi version 4.8.2 is affected. No additional vendors or product versions are identified in the available references.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, while the EPSS score below 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV, suggesting that no widespread exploitation is known. Exploitation would likely occur through the /system/notice/add endpoint, where user input is not sanitized, allowing an attacker to embed arbitrary JavaScript that executes in the browsers of users who view the compromised notice.

Generated by OpenCVE AI on June 18, 2026 at 07:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ruoyi to a version that addresses the XSS vulnerability, if one has been released.
  • Configure the /system/notice/add endpoint to escape or sanitize all user‑supplied input before storing or rendering it.
  • Apply a content security policy that blocks execution of inline scripts and limits loading of external JavaScript from untrusted origins.

Generated by OpenCVE AI on June 18, 2026 at 07:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Ruoyi 4.8.2 at /system/notice/add

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Ruoyi 4.8.2 at /system/notice/add

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Yangzongzhuan
Yangzongzhuan ruoyi
Vendors & Products Yangzongzhuan
Yangzongzhuan ruoyi

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
References

Subscriptions

Yangzongzhuan Ruoyi
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T17:13:18.435Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37216

cve-icon Vulnrichment

Updated: 2026-06-16T16:55:50.930Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:26.250

Modified: 2026-06-16T19:16:35.847

Link: CVE-2026-37216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')