CVE-2026-38812

Vulnerability

The RuoYi v4.8.2 admin panel is susceptible to SQL injection in the /tool/gen/createTable endpoint within the code generation module. An authenticated attacker with administrative privileges can inject malicious SQL queries via the createTable parameter. The vulnerability exists because user-supplied input is not properly sanitized before being concatenated into SQL statements [1].

Exploitation

An attacker must first authenticate as an administrator. They can then send a crafted POST request to /tool/gen/createTable with a payload that includes SQL injection syntax. The injection likely exploits the dynamic table creation functionality, allowing the attacker to execute arbitrary SQL commands. Detailed exploitation steps and payloads are available in the public proof-of-concept repository [1].

Impact

Successful exploitation allows the attacker to extract sensitive database information, such as user credentials, configuration data, and other application secrets. The impact is limited to data confidentiality; no remote code execution or privilege escalation is reported. The attacker gains read access to the underlying database [1].

Mitigation

As of the publication date (2026-06-15), no official patch has been released by the RuoYi project. Users should restrict access to the /tool/gen/createTable endpoint to trusted administrators only, monitor logs for suspicious activity, and apply updates when a fix becomes available. References such as [1] provide indicators of compromise.