CVE-2026-5147

Name of the Vulnerable Software and Affected Versions YunaiV yudao-cloud versions prior to 2026.01

Description A security flaw has been discovered in YunaiV yudao-cloud. The issue affects an unknown part of the file /admin-api/system/tenant/get-by-website. Manipulation of the Website argument results in SQL injection. The attack can be launched remotely. The exploit has been publicly released. The vendor was contacted about this disclosure but did not respond.

Recommendations Versions prior to 2026.01 should be updated. As a temporary workaround, restrict access to the /admin-api/system/tenant/get-by-website endpoint. Avoid using the Website parameter in the affected API endpoint until the issue is resolved.