Scan free
MEDIUMCVE-2026-4564CVSS 4.7

CVE-2026-4564: Code Injection in RuoYi

Platform

java

Component

ruoyi-quartz-rce

Fixed in

4.8.1

4.8.2

4.8.3

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-4564 describes a code injection vulnerability discovered in RuoYi, a Java-based platform, affecting versions 4.8.0 through 4.8.2. This flaw allows attackers to potentially execute arbitrary code by manipulating the invokeTarget argument within the /monitor/job/ endpoint, handled by the Quartz Job Handler component. The vulnerability is remotely exploitable and a public proof-of-concept exists, highlighting the urgency of remediation.

Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Upload pom.xmlSupported formats: pom.xml · build.gradle

Impact and Attack Scenarios

The impact of CVE-2026-4564 is significant due to the potential for remote code execution. An attacker exploiting this vulnerability could gain complete control over the affected RuoYi instance, leading to data breaches, system compromise, and potential lateral movement within the network. The ability to manipulate the invokeTarget argument allows for arbitrary code to be injected and executed, bypassing normal security controls. This vulnerability shares similarities with other injection flaws where improper input validation allows attackers to execute commands on the server.

Exploitation Context

CVE-2026-4564 has been publicly disclosed, and a proof-of-concept exploit is available, indicating a higher probability of exploitation. The vulnerability was reported on 2026-03-22. The vendor was contacted but did not respond, which increases the risk as no official patch is available. The EPSS score is likely to be medium or high given the public disclosure and availability of an exploit.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.05% (16% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R4.7MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentruoyi-quartz-rce
Vendoryangzongzhuan
Affected rangeFixed in
4.8.0 – 4.8.04.8.1
4.8.1 – 4.8.14.8.2
4.8.2 – 4.8.24.8.3

Weakness Classification (CWE)

CWE-94CWE-74

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 63 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-4564 is to upgrade RuoYi to a patched version. Unfortunately, no specific fixed version is provided in the CVE data. Until a patch is available, consider implementing temporary workarounds such as restricting access to the /monitor/job/ endpoint to trusted users or networks. Web application firewalls (WAFs) can be configured to filter requests containing suspicious patterns in the invokeTarget parameter. Thoroughly review and validate all user inputs to prevent injection attacks. After upgrading, confirm the fix by attempting to access the /monitor/job/ endpoint with a crafted payload and verifying that the request is rejected.

How to fix

Update RuoYi to a version later than 4.8.2. If updating is not possible, it is recommended to review and validate user inputs in the Quartz Job Handler component to prevent code injection (Code Injection).

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4564 — Code Injection in RuoYi?

CVE-2026-4564 is a code injection vulnerability affecting RuoYi versions 4.8.0–4.8.2. It allows attackers to execute arbitrary code by manipulating the invokeTarget argument in the /monitor/job/ endpoint.

Am I affected by CVE-2026-4564 in RuoYi?

You are affected if you are using RuoYi versions 4.8.0 through 4.8.2 and have not yet upgraded to a patched version. The vulnerability is remotely exploitable.

How do I fix CVE-2026-4564 in RuoYi?

Upgrade RuoYi to a patched version. As no fixed version is provided, implement temporary workarounds like restricting access to the /monitor/job/ endpoint or using a WAF.

Is CVE-2026-4564 being actively exploited?

CVE-2026-4564 is publicly disclosed with a proof-of-concept available, suggesting a high probability of active exploitation.

Where can I find the official RuoYi advisory for CVE-2026-4564?

As the vendor did not respond to the disclosure, an official advisory may not be available. Monitor RuoYi's official website and security mailing lists for updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs