CVE-2024-57521

CRITICAL

RuoYi < 4.7.9 - SQL Injection via SqlUtil.java createTable Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-57521. PoCs published by mrlihd.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2024-57521, an authenticated SQL injection vulnerability in RuoYi Framework v4.7.9. The exploit leverages a bypass of the SQL keyword filter using `%0b` as a space substitute to execute arbitrary SQL commands.

Description

SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java.

Exploits (1)

nomisec WORKING POC
by mrlihd · poc
https://github.com/mrlihd/CVE-2024-57521-SQL-Injection-PoC

This repository contains a functional PoC for CVE-2024-57521, an authenticated SQL injection vulnerability in RuoYi Framework v4.7.9. The exploit leverages a bypass of the SQL keyword filter using `%0b` as a space substitute to execute arbitrary SQL commands.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: RuoYi Framework ≤ 4.7.9
Auth required
Prerequisites: Administrative access to the RuoYi Framework · Valid JSESSIONID cookie
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 10.0
EPSS 0.0043
EPSS Percentile 63.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
ruoyi/ruoyi < 4.7.9
Published Dec 23, 2025
Tracked Since Feb 18, 2026