CVE-2026-13528

HIGH

YunaiV/zhijiantianya ruoyi-vue-pro AppFileController File Upload Endpoint FileServiceImpl.java generateUploadPath path traversal

Title source: cna
STIX 2.1

Description

A vulnerability was found in YunaiV/zhijiantianya ruoyi-vue-pro up to 2026.04-jdk8-SNAPSHOT. The impacted element is the function generateUploadPath of the file yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java of the component AppFileController File Upload Endpoint. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 4ae3f6b2c9883978837638c14e3d18419819eeb0. It is recommended to apply a patch to fix this issue. This product is published by multiple vendors.

References (8)

Core 8
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-374536 | YunaiV/zhijiantianya ruoyi-vue-pro AppFileController File Upload Endpoint FileServiceImpl.java generateUploadPath path traversal
https://vuldb.com/vuln/374536
Signature, Permissions Required signature permissions-required
VDB-374536 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/374536/cti
Third Party Advisory third-party-advisory
CVE-2026-13528 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-13528
Third Party Advisory third-party-advisory
Submit #840617 | YunaiV ruoyi-vue-pro 2026.04-jdk8-SNAPSHOT Arbitrary File Write
https://vuldb.com/submit/840617

Scores

CVSS v3 7.3
EPSS 0.0045
EPSS Percentile 35.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (2)
YunaiV/ruoyi-vue-pro 2026.04-jdk8-SNAPSHOT
zhijiantianya/ruoyi-vue-pro 2026.04-jdk8-SNAPSHOT
Published Jun 29, 2026
Tracked Since Jun 29, 2026