VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-37216

CVE-2026-37216

Description

Ruoyi 4.8.2 stored XSS in notice module allows attackers with add permission to inject JS, leading to privilege escalation via CSRF.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ruoyi 4.8.2 stored XSS in notice module allows attackers with add permission to inject JS, leading to privilege escalation via CSRF.

Vulnerability

Ruoyi versions 4.8.2 and 4.8.3 suffer from a stored Cross-Site Scripting (XSS) vulnerability in the notice module (/system/notice/add). The application disables XSS filtering for /system/notice/* in application.yml (line 144) to allow Summernote rich text editing, but does not sanitize submitted HTML. Additionally, the frontend uses th:utext to render the content directly, enabling injection of arbitrary JavaScript. An attacker must have the system:notice:add permission.

Exploitation

An authenticated user with the required permission can create a notice containing malicious JavaScript (e.g., via an ` tag). Any user who views the notice will execute the script in their browser. Because CSRF protection is disabled (csrf.enabled: false), the injected script can perform authenticated requests to the application, such as creating a new administrator account via the /system/user/add` endpoint.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user viewing the crafted notice. This can lead to full compromise of the application, including privilege escalation, data theft, and persistent backdoor creation. In the published proof of concept, a new admin account `backdoor_admin` is silently created when an administrator views the notice.

Mitigation

No official fix has been released for this vulnerability as of the publication date. Workarounds include re-enabling the XSS filter for the notice endpoint by removing the exclusion in application.yml, or implementing server-side HTML sanitization (e.g., using JSoup). Users should review their deployment's CSRF settings and consider enabling CSRF protection. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

[1]

References
  1. 通知公告模块存储型XSS漏洞

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The server stores notice content without HTML sanitization and renders it with th:utext, allowing stored XSS."

Attack vector

An attacker with `system:notice:add` privilege injects malicious JavaScript into the notice content field. Because the XSS filter excludes `/system/notice/*` (to allow Summernote rich-text input) and the server performs no HTML sanitization, the payload is stored verbatim. Any user who views the notice executes the script in their browser. Since CSRF protection is disabled (`csrf.enabled: false`), the injected script can silently call administrative APIs (e.g., creating a backdoor admin account) in the same origin. [ref_id=1]

Affected code

The vulnerability affects the notice module at `/system/notice/*`. The file `application.yml` (line 144) excludes this path from the XSS filter. The controller `SysNoticeController.java` (lines 75–83) stores notice content without HTML sanitization, and the template `view.html` (lines 46–49) renders it using `th:utext`, which outputs raw HTML. [ref_id=1]

What the fix does

The advisory recommends sanitizing `noticeContent` with Jsoup's `Safelist.relaxed()` before storing it in `SysNoticeController.addSave` and `editSave`. This allows common formatting tags (bold, italic, lists, images) but strips dangerous elements like `<script>` tags and event handlers (`onerror`, `onclick`, etc.). The XSS filter exclusion for `/system/notice/*` can remain because the server-side sanitization provides the necessary protection. [ref_id=1]

Preconditions

  • authAttacker must have the `system:notice:add` permission (e.g., an admin or privileged user).
  • configCSRF protection must be disabled (`csrf.enabled: false`), which is the default configuration.
  • configThe XSS filter must exclude `/system/notice/*` (default configuration).

Reproduction

Log in as admin, navigate to System Management → Notices → Add, fill in a title, switch to source view, paste `<p>Normal content</p><img src=x onerror="alert('XSS')">`, save, then click the notice's "View" button. The browser will show an alert dialog. [ref_id=1]

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.