ByteOS Network

RuoYi-Vue

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-9374

Assigner-VulDB

View Details

Assigner-VulDB

CVSS Score-5.3||MEDIUM

EPSS-Not Assigned

Published-24 May, 2026 | 10:30

Updated-24 May, 2026 | 10:30

yangzongzhuan RuoYi-Vue Common Upload Endpoint upload FileUploadUtils.upload unrestricted upload

A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Vendor-yangzongzhuan

Product-RuoYi-Vue

CWE ID-CWE-284

Improper Access Control

CWE ID-CWE-434

Unrestricted Upload of File with Dangerous Type

CVE-2025-4537

Assigner-VulDB

View Details

Assigner-VulDB

CVSS Score-2.3||LOW

EPSS-0.11% / 29.44%

7 Day CHG~0.00%

Published-11 May, 2025 | 09:31

Updated-08 Jul, 2025 | 17:01

yangzongzhuan RuoYi-Vue Password login.vue sensitive information in a cookie

A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Affected by this issue is some unknown functionality of the file ruoyi-ui/jsencrypt.js and ruoyi-ui/login.vue of the component Password Handler. The manipulation leads to cleartext storage of sensitive information in a cookie. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Vendor-yangzongzhuan Ruoyi

Product-ruoyi-vue RuoYi-Vue

CWE ID-CWE-312

Cleartext Storage of Sensitive Information

CWE ID-CWE-315

Cleartext Storage of Sensitive Information in a Cookie