CVE-2026-38812
Deferred Deferred - Pending Action

SQL Injection in RuoYi Code Generation Module

Vulnerability report for CVE-2026-38812, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ruoyi ruoyi 4.8.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in RuoYi v4.8.2 could allow an authenticated attacker with administrative privileges to access sensitive database information. Unauthorized access to sensitive data may lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and health-related information.

By potentially exposing sensitive data through this vulnerability, organizations using the affected software might face compliance risks, including failure to protect personal data adequately, which is a core requirement of these standards.

Impact Analysis

This vulnerability can lead to unauthorized access, manipulation, or deletion of data within the affected database.

An attacker exploiting this flaw could compromise sensitive information stored in the database, potentially causing data breaches or loss of data integrity.

Executive Summary

CVE-2026-38812 is a SQL injection vulnerability found in RuoYi version 4.8.2. It exists in the /tool/gen/createTable endpoint, which is part of the code generation module.

This vulnerability allows an authenticated attacker with administrative privileges to inject malicious SQL queries into the database.

As a result, the attacker may gain unauthorized access to sensitive database information.

Detection Guidance

The vulnerability exists in the /tool/gen/createTable endpoint of RuoYi v4.8.2 and involves SQL injection. Detection can involve monitoring HTTP requests to this endpoint for suspicious or malformed SQL payloads.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided resources.

General best practices include restricting access to the /tool/gen/createTable endpoint to trusted administrators only, applying input validation and sanitization, and monitoring for unusual database activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart