CVE-2026-37216
Received Received - Intake
Cross Site Scripting (XSS) in Ruoyi 4.8.2

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-37216
EUVD
EUVD-2026-36750
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yangzongzhuan ruoyi 4.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the RuoYi 4.8.2 software, specifically at the /system/notice/add interface.

It occurs because the application improperly sanitizes user input in the notice content field. Although it uses a sanitization method (Safelist.relaxed()) that allows some common formatting tags and tries to remove dangerous elements like <script> tags and event handlers, malicious scripts can still be injected and stored.

When the stored malicious content is later rendered, the injected scripts can execute, leading to potential security risks.

Impact Analysis

This stored XSS vulnerability can allow attackers to inject malicious scripts into the notice content that will execute in the browsers of users who view the affected notices.

  • Attackers could steal sensitive information such as session cookies or authentication tokens.
  • It could lead to unauthorized actions performed on behalf of the user (session hijacking).
  • It may facilitate phishing attacks or the spread of malware.
  • Overall, it compromises the security and trustworthiness of the affected application.
Detection Guidance

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the /system/notice/add interface of Ruoyi 4.8.2. Detection involves testing the notice content field for improper sanitization by injecting typical XSS payloads and observing if they are executed or stored.

You can use tools like curl or browser-based testing to send payloads to the vulnerable endpoint and check the response or rendered content for script execution.

  • Example curl command to test injection: curl -X POST -d 'noticeContent=<script>alert(1)</script>' http://your-ruoyi-instance/system/notice/add
  • Use a web proxy or browser developer tools to inspect if the injected script is stored and executed when viewing notices.
Mitigation Strategies

Immediate mitigation involves preventing malicious script injection by improving input sanitization on the notice content field.

Since the current sanitization uses Safelist.relaxed() which still allows some HTML tags, consider tightening the sanitization rules to disallow all script tags and event handlers.

Additionally, apply security best practices such as encoding output when rendering user input and applying Content Security Policy (CSP) headers to reduce the impact of any injected scripts.

If possible, update to a patched version of Ruoyi once available or apply any official patches addressing this issue.

Compliance Impact

The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in Ruoyi 4.8.2 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart