Medium severity6.3NVD Advisory· Published May 3, 2026· Updated May 5, 2026

CVE-2026-7678

Description

A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An authenticated SQL injection vulnerability in YunaiV yudao-cloud up to 2026.01 allows attackers with a specific permission to execute arbitrary SQL via the getDataBySQL method.

Vulnerability

Description

A SQL injection vulnerability exists in YunaiV yudao-cloud, a popular microservice development framework, up to version 2026.01. The flaw resides in the getDataBySQL method within GoViewDataServiceImpl.java. The method directly concatenates user-supplied SQL input into a jdbcTemplate.queryForRowSet() call without any parameterization or input validation, allowing an attacker to inject arbitrary SQL commands [1].

Exploitation

The vulnerability is exploitable remotely via the API endpoint POST /admin-api/report/go-view-data/get-by-sql. However, exploitation requires authentication and the specific permission report:go-view-data:get-by-sql. An attacker who has obtained these credentials or privileges can send crafted SQL payloads in the request body to the vulnerable endpoint [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary SQL queries against the underlying database. This can lead to unauthorized reading, modification, or deletion of sensitive data, and potentially full compromise of the database server. The CVSS v3.1 base score assigned by the reporter is 8 reporter is 8.6 (High), though the official NVD CVSS v3 score is 6.3 (Medium) [1].

Mitigation

As of the disclosure date, the vendor (YunaiV) has not responded to the report, and no official patch or workaround has been released. Users of affected versions (up to 2026.01) should apply strict input validation or disable the vulnerable endpoint if possible, pending a vendor fix [1].

References

CVE Report: yudao-cloud GoView SQL Injection Vulnerability

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

YunaiV/Yudao Cloudllm-fuzzy
Range: <=2026.01

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-7678

Credits

9(
9str0il (VulDB User)
reporter
VC
VulDB CNA Team
coordinator