PT-2026-1867 · Unknown · Ruoyi-Vue-Plus
Published
2026-01-08
·
Updated
2026-01-09
·
CVE-2025-66916
CVSS v3.1
9.4
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
RuoYi-Vue-Plus versions 5.5.1 and earlier
Description
The snailjob component in RuoYi-Vue-Plus does not filter user input when executing QLExpress expressions through the
/snail-job/workflow/check-node-expression API endpoint. This allows attackers to utilize the File class to perform arbitrary file reading and writing operations. The vulnerable parameter is not explicitly identified.Recommendations
Versions prior to 5.5.1 should be updated.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ruoyi-Vue-Plus