Description
A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RuoYi‑Vue application contains a flaw in the FileUploadUtils.upload routine located at /common/upload that accepts file uploads without proper validation. Because the endpoint authorizes any file type and size, an attacker can remotely upload arbitrary files, potentially including executable code. This can lead to privilege escalation, data tampering, or denial of service if the uploaded content is executed or misused by the system. The weakness is classified as CWE‑434 (Unrestricted Upload) and CWE‑284 (Improper Access Control).

Affected Systems

Vendors and products affected include yangzongzhuan RuoYi‑Vue versions up to and including 3.9.2. The vulnerable code resides in the Common Upload Endpoint component and impacts all installations that have not applied newer releases.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is unavailable, so current exploitation likelihood cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely by issuing a POST request to /common/upload with arbitrary file data. No code execution is guaranteed solely by this upload, but the presence of unrestricted file upload opens significant attack vectors in properly configured environments.

Generated by OpenCVE AI on May 24, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an available update to RuoYi‑Vue that resolves the upload validation flaw.
  • If an update is not possible, restrict the upload endpoint to allow only a whitelist of safe file types and enforce strict size limits.
  • Implement server‑side file type validation and move uploaded files outside the web root to prevent execution.

Generated by OpenCVE AI on May 24, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 11:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title yangzongzhuan RuoYi-Vue Common Upload Endpoint upload FileUploadUtils.upload unrestricted upload
First Time appeared Yangzongzhuan
Yangzongzhuan ruoyi-vue
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:yangzongzhuan:ruoyi-vue:*:*:*:*:*:*:*:*
Vendors & Products Yangzongzhuan
Yangzongzhuan ruoyi-vue
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Yangzongzhuan Ruoyi-vue
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T10:30:10.351Z

Reserved: 2026-05-23T14:15:05.410Z

Link: CVE-2026-9374

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T13:00:12Z

Weaknesses