Unrestricted File Upload in RuoYi-Vue by yangzongzhuan
CVE-2026-9374

5.3MEDIUM

Key Information:

Vendor

Yangzongzhuan

Status
Ruoyi-vue
Vendor
CVE Published:
24 May 2026

What is CVE-2026-9374?

A serious vulnerability exists in the RuoYi-Vue framework due to improper handling in the FileUploadUtils.upload function within the Common Upload Endpoint. This flaw allows attackers to exploit the upload mechanism, leading to unauthorized file uploads. Such access gives remote attackers the potential to execute malicious code, resulting in severe implications for system security. The vendor was notified about the issue but has not provided any response, raising concerns about the timely implementation of necessary updates to mitigate risks.

Affected Version(s)

RuoYi-Vue 3.9.0

RuoYi-Vue 3.9.1

RuoYi-Vue 3.9.2

References

https://vuldb.com/vuln/365338
vdb-entrytechnical-description
https://vuldb.com/vuln/365338/cti
signaturepermissions-required
https://vuldb.com/submit/813252
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

feng123123 (VulDB User)
VulDB CNA Team
.