PatchSiren

yangzongzhuan CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM yangzongzhuan CVE published 2026-05-24

CVE-2026-9374

A vulnerability in yangzongzhuan RuoYi-Vue up to version 3.9.2 allows remote attackers to perform unrestricted file uploads via the FileUploadUtils.upload function in the /common/upload endpoint. The vulnerability stems from improper access control (CWE-284) and unrestricted upload of file with dangerous type (CWE-434), enabling attackers to upload potentially malicious files without adequate validation. [truncated]