📄 Description (English)
A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-9374 is a medium-severity vulnerability in RuoYi-Vue (up to v3.9.2) affecting the file upload functionality, allowing unrestricted file uploads through the /common/upload endpoint. This vulnerability could enable attackers to upload malicious files, potentially leading to remote code execution or system compromise. The lack of vendor response and absence of available patches increases risk for organizations currently using affected versions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 27, 2026 04:49
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government agencies, financial institutions, and enterprises using RuoYi-Vue for administrative dashboards and content management. High-risk sectors include: (1) Banking/SAMA-regulated institutions using RuoYi-Vue for internal portals; (2) Government/NCA entities relying on this framework for administrative systems; (3) Healthcare organizations using it for patient data management systems; (4) Telecommunications (STC, Mobily) for billing and customer management systems. The unrestricted upload capability could lead to unauthorized access, data exfiltration, and lateral movement within critical infrastructure.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Education
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all systems running RuoYi-Vue versions up to 3.9.2 across your organization
2. Implement network-level restrictions on the /common/upload endpoint (restrict to authorized users/IPs only)
3. Disable the file upload functionality if not actively required
4. Review upload logs for suspicious file uploads (executable files, scripts, archives)
Compensating Controls:
1. Implement strict file type validation at the application and WAF level (whitelist allowed extensions: .pdf, .doc, .xls only)
2. Store uploaded files outside the web root directory
3. Disable script execution in upload directories via web server configuration (Apache/Nginx)
4. Implement file size limits (e.g., max 10MB)
5. Rename uploaded files with random identifiers to prevent direct access
6. Scan all uploaded files with antivirus/malware detection tools
Patching Guidance:
1. Contact RuoYi-Vue maintainers for security updates or consider migrating to alternative frameworks
2. Monitor GitHub repository for security patches
3. If patch becomes available, test in staging environment before production deployment
Detection Rules:
1. Monitor HTTP POST requests to /common/upload with unusual file extensions (.exe, .sh, .jsp, .php, .aspx)
2. Alert on upload requests with Content-Type mismatches
3. Track failed authentication attempts to upload endpoints
4. Monitor for multiple rapid upload attempts from single IP
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع الأنظمة التي تعمل بإصدارات RuoYi-Vue حتى 3.9.2 في مؤسستك
2. طبّق قيودًا على مستوى الشبكة على نقطة النهاية /common/upload (قصر الوصول على المستخدمين/عناوين IP المصرح بها فقط)
3. عطّل وظيفة تحميل الملفات إذا لم تكن مطلوبة بنشاط
4. راجع سجلات التحميل بحثًا عن تحميلات ملفات مريبة (ملفات قابلة للتنفيذ، نصوص برمجية، أرشيفات)
الضوابط البديلة:
1. طبّق التحقق الصارم من نوع الملف على مستوى التطبيق و WAF (قائمة بيضاء بالامتدادات المسموحة: .pdf, .doc, .xls فقط)
2. خزّن الملفات المحملة خارج دليل الويب الجذر
3. عطّل تنفيذ النصوص البرمجية في أدلة التحميل عبر إعدادات خادم الويب (Apache/Nginx)
4. طبّق حدود حجم الملف (مثل 10 ميجابايت كحد أقصى)
5. أعد تسمية الملفات المحملة بمعرّفات عشوائية لمنع الوصول المباشر
6. امسح جميع الملفات المحملة باستخدام أدوات الكشف عن البرامج الضارة
إرشادات التصحيح:
1. اتصل بمطوري RuoYi-Vue للحصول على تحديثات أمان أو فكّر في الهجرة إلى أطر عمل بديلة
2. راقب مستودع GitHub للحصول على تصحيحات أمان
3. إذا أصبح التصحيح متاحًا، اختبره في بيئة التجريب قبل نشره في الإنتاج
قواعد الكشف:
1. راقب طلبات HTTP POST إلى /common/upload بامتدادات ملفات غير عادية (.exe, .sh, .jsp, .php, .aspx)
2. أصدر تنبيهات عند طلبات التحميل مع عدم تطابق Content-Type
3. تتبع محاولات المصادقة الفاشلة لنقاط نهاية التحميل
4. راقب محاولات التحميل السريعة المتعددة من عنوان IP واحد
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Information security requirements analysis and specification
A.14.2.5 - Access control
A.14.2.8 - Secure development policy
A.12.2.1 - Restriction of access to information
A.12.4.1 - Event logging
🔵 SAMA CSF
ID.AM-2 - Software inventory and management
PR.AC-1 - Access control policy and procedures
PR.AC-3 - Access enforcement
DE.CM-1 - Detection and analysis
RS.MI-2 - Incident response procedures
🟡 ISO 27001:2022
A.6.1.1 - Information security policies
A.8.1.1 - User endpoint devices
A.12.2.1 - Restriction of access to information
A.12.4.1 - Event logging
A.14.2.1 - Information security requirements
A.14.2.5 - Secure development and DevOps
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 6.2 - Security patches and updates
Requirement 6.5.8 - Improper access control
Requirement 10.2 - Logging and monitoring