| शीर्षक | Ruoyi Management System V4.8.1 Code Injection |
|---|
| विवरण | The vulnerability exists in the CacheController at the '/monitor/cache/getnames' endpoint, where the fragment parameter does not adequately sanitize user input. This allows attackers to inject malicious code via carefully crafted Thymeleaf expressions. Although newer versions have implemented blacklist filtering, attackers can still bypass restrictions using specific formats (such as __|$${...}|__::.x) to achieve code execution. |
|---|
| स्रोत | ⚠️ https://github.com/ltranquility/CVE/issues/26 |
|---|
| उपयोगकर्ता | Customer (UID 83474) |
|---|
| सबमिशन | 09/12/2025 10:01 AM (4 महीनों पहले) |
|---|
| संयम | 17/12/2025 09:59 PM (8 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 337047 [y_project RuoYi तक 4.8.1 /monitor/cache/getnames fragment अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|