PatchSiren cyber security CVE debrief
CVE-2026-38812 RuoYi CVE debrief
CVE-2026-38812 is a SQL Injection vulnerability in RuoYi v4.8.2. The issue exists in the code generation module and is accessible via the /tool/gen/createTable endpoint. An authenticated attacker with administrative privileges may be able to access sensitive database information. For more information, see resourceLinkAnnotations: [cve-org], [nvd], [ref-4].
- Vendor
- RuoYi
- Product
- RuoYi
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of RuoYi v4.8.2, particularly those with administrative privileges, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a lack of proper input validation in the /tool/gen/createTable endpoint, allowing for SQL injection attacks.
Defensive priority
High
Recommended defensive actions
- Update to a patched version of RuoYi, if available.
- Implement additional security measures, such as input validation and sanitization, to prevent SQL injection attacks.
- Restrict access to the /tool/gen/createTable endpoint to only authorized users.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about the vulnerability. A source reference [ref-4] is also available on GitHub.
Official resources
-
CVE-2026-38812 CVE record
CVE.org
-
CVE-2026-38812 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-38812 was published on 2026-06-15T20:16:27.103Z and has not been modified since then.