Description
A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw was discovered in the getDataBySQL method of YunaiV yudao‑cloud, allowing a remote attacker to inject arbitrary SQL commands. The weakness can lead to unauthorized read, modification or deletion of data, and potentially escalation of privileges within the application. The vulnerability is classified as CWE‑74 and CWE‑89.

Affected Systems

The flaw affects all releases of YunaiV yudao‑cloud up to and including version 2026.01. No exact patch version is listed, so all installations matching that version range are potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate level of severity. EPSS data is not available, but the exploit is publicly available, suggesting that attackers could successfully target vulnerable instances. The vulnerability is not currently listed in the CISA KEV catalog, yet the lack of an official response from the vendor and the public availability of the exploit raise the likelihood that attackers may target unpatched systems.

Generated by OpenCVE AI on May 3, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade YunaiV yudao‑cloud to the most recent release that contains the fix for the getDataBySQL SQL injection.
  • If a patch is not immediately available, restrict the database account used by the application so that it can only read the tables accessed by GoViewDataServiceImpl, thereby limiting the impact of any injection.
  • Modify the application code to use parameterized queries or prepared statements for all SQL statements generated in getDataBySQL, removing dynamic query construction entirely.
  • Configure a web application firewall or intrusion prevention system to detect and block common SQL injection payloads against the affected endpoint.

Generated by OpenCVE AI on May 3, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Yunaiv
Yunaiv yudao-cloud
Vendors & Products Yunaiv
Yunaiv yudao-cloud

Sun, 03 May 2026 04:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title YunaiV yudao-cloud GoViewDataServiceImpl.java getDataBySQL sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yunaiv Yudao-cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T04:00:14.024Z

Reserved: 2026-05-02T08:38:56.933Z

Link: CVE-2026-7678

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T05:15:59.030

Modified: 2026-05-03T05:15:59.030

Link: CVE-2026-7678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T06:00:09Z

Weaknesses