CVE-2026-38812
Received Received - Intake
SQL Injection in RuoYi Code Generation Module

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-38812
EUVD
EUVD-2026-36758
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ruoyi ruoyi 4.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized access, manipulation, or deletion of data within the affected database.

An attacker exploiting this flaw could compromise sensitive information stored in the database, potentially causing data breaches or loss of data integrity.

Executive Summary

CVE-2026-38812 is a SQL injection vulnerability found in RuoYi version 4.8.2. It exists in the /tool/gen/createTable endpoint, which is part of the code generation module.

This vulnerability allows an authenticated attacker with administrative privileges to inject malicious SQL queries into the database.

As a result, the attacker may gain unauthorized access to sensitive database information.

Detection Guidance

The vulnerability exists in the /tool/gen/createTable endpoint of RuoYi v4.8.2 and involves SQL injection. Detection can involve monitoring HTTP requests to this endpoint for suspicious or malformed SQL payloads.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided resources.

General best practices include restricting access to the /tool/gen/createTable endpoint to trusted administrators only, applying input validation and sanitization, and monitoring for unusual database activity.

Compliance Impact

The SQL injection vulnerability in RuoYi v4.8.2 could allow an authenticated attacker with administrative privileges to access sensitive database information. Unauthorized access to sensitive data may lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and health-related information.

By potentially exposing sensitive data through this vulnerability, organizations using the affected software might face compliance risks, including failure to protect personal data adequately, which is a core requirement of these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart