CVE-2026-4564
Received Received - Intake
Remote Code Injection in RuoYi Quartz Job Handler

Publication date: 2026-03-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in yangzongzhuan RuoYi up to 4.8.2. This issue affects some unknown processing of the file /monitor/job/ of the component Quartz Job Handler. Such manipulation of the argument invokeTarget leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-04-29
Generated
2026-05-27
AI Q&A
2026-03-23
EPSS Evaluated
2026-05-25
NVD
CVE-2026-4564
EUVD
EUVD-2026-14341
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yangzongzhuan ruoyi to 4.8.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-4564 is a critical Remote Code Execution (RCE) vulnerability in the RuoYi Management System, specifically affecting versions up to 4.8.2. The flaw exists in the Quartz scheduled task management module, accessible via the /monitor/job endpoint.

The vulnerability arises because the system fails to properly sanitize and validate the invokeTarget parameter, which specifies the method to be invoked by a scheduled task. An attacker with administrative credentials can create or edit scheduled tasks with a malicious invokeTarget payload, causing arbitrary code to execute on the server when the task triggers.


How can this vulnerability impact me? :

This vulnerability allows an attacker with administrative access to execute arbitrary system commands remotely on the affected server.

  • Full system compromise, including access to sensitive data.
  • Potential lateral movement within internal networks.
  • Installation of persistent backdoors, enabling long-term unauthorized access.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of CVE-2026-4564 involves verifying if the RuoYi Management System is running a vulnerable version (4.8.2 or below) and checking for exploitation attempts targeting the Quartz scheduler endpoints.'}, {'type': 'paragraph', 'content': 'A Nuclei template has been created to automate detection by simulating login, accessing the job management page, and submitting a crafted scheduled task with a malicious invokeTarget parameter. The template checks for response keywords like "success" or "ζ“δ½œζˆεŠŸ" (operation successful) to confirm vulnerability.'}, {'type': 'paragraph', 'content': 'To manually detect suspicious activity, monitor HTTP POST requests to the following endpoints:'}, {'type': 'list_item', 'content': 'POST /monitor/job/add'}, {'type': 'list_item', 'content': 'POST /monitor/job/edit'}, {'type': 'paragraph', 'content': 'Look for unusual or unexpected values in the invokeTarget parameter, which may contain malicious expressions.'}, {'type': 'paragraph', 'content': 'Suggested commands for detection include using network monitoring tools or web server logs to filter requests:'}, {'type': 'list_item', 'content': "grep -i 'POST /monitor/job' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'"}, {'type': 'list_item', 'content': 'Use the Nuclei scanner with the provided template from https://github.com/M0onc/RuoYi-Quartz-RCE to automate detection.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps for CVE-2026-4564 include:

  • Upgrade the RuoYi Management System to the latest version beyond 4.8.2 where the vulnerability is fixed.
  • Disable the Quartz scheduled task feature if it is not required in your environment.
  • Implement strict input validation and sanitization on the invokeTarget parameter to prevent code injection.
  • Avoid dynamic method invocation and use parameterized queries where possible.
  • Enforce strong authentication and least privilege access controls to limit administrative access.
  • Enable logging and monitoring to detect suspicious activities related to scheduled task management.
  • Deploy Web Application Firewall (WAF) rules to block malicious requests targeting the vulnerable endpoints.
  • Use network segmentation to isolate the management system from other critical network resources.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart