CVE-2026-7678
Deferred Deferred - Pending Action
SQL Injection in YunaiV yudao-cloud

Publication date: 2026-05-03

Last updated on: 2026-05-05

Assigner: VulDB

Description
A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-03
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7678
EUVD
EUVD-2026-26813
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yunai vudao-cloud to 2026.01 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized data access, data manipulation, or even complete compromise of the database.

Attackers can exploit this flaw to extract sensitive information, modify records, or perform denial-of-service attacks against the affected system.

Since the attack can be launched remotely by authenticated users with specific permissions, it poses a significant risk to the confidentiality, integrity, and availability of the data.

Detection Guidance

This vulnerability exists in the getDataBySQL method of the GoViewDataServiceImpl.java file in the yudao-cloud project, where raw SQL queries are executed without proper validation. Detection involves identifying if the vulnerable endpoint is accessible and if the report:go-view-data:get-by-sql permission is granted to users.

To detect exploitation attempts or presence of this vulnerability, you can monitor network traffic or application logs for suspicious SQL queries or unusual access patterns to the affected endpoint.

  • Check for access to the vulnerable endpoint that executes raw SQL queries.
  • Look for SQL injection patterns in logs, such as tautologies, UNION statements, or unexpected SQL keywords.
  • Use commands like grep or log analysis tools to search application logs for suspicious SQL inputs.
  • Example command to search logs for suspicious SQL keywords: grep -iE "(union|select|insert|update|delete|drop|--|#)" /path/to/application/logs/*
  • If possible, use network monitoring tools to capture and analyze traffic to the vulnerable service for anomalous SQL payloads.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint and limiting permissions to only trusted users.

Since the vulnerability arises from executing raw SQL queries without parameterization, it is recommended to implement parameterized queries or whitelist-based validation of SQL statements.

If a patch or update is not yet available from the vendor, consider removing or disabling the vulnerable endpoint entirely to prevent exploitation.

  • Restrict or disable access to the getDataBySQL function or the affected endpoint.
  • Limit the report:go-view-data:get-by-sql permission to only trusted and necessary users.
  • Implement input validation and parameterized queries in the code to prevent SQL injection.
  • Monitor logs and network traffic for exploitation attempts.
Compliance Impact

The SQL injection vulnerability in YunaiV yudao-cloud allows authenticated users to execute arbitrary SQL commands, potentially leading to unauthorized access, manipulation, or compromise of sensitive data.

Such unauthorized data access and manipulation can result in violations of data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized disclosure or alteration.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches or improper handling of protected data.

Executive Summary

CVE-2026-7678 is a high-severity SQL injection vulnerability found in the YunaiV yudao-cloud project, specifically in the GoView component's getDataBySQL method within the GoViewDataServiceImpl.java file.

The vulnerability arises because this method executes user-provided SQL queries directly without proper parameterization or input validation, only checking that the input is non-empty.

This flaw allows authenticated users with the report:go-view-data:get-by-sql permission to inject malicious SQL code remotely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7678. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart