Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-37216

CVE-2026-37216: Ruoyi 4.8.2 XSS Vulnerability

CVE-2026-37216 is a cross site scripting flaw in Ruoyi 4.8.2 affecting the /system/notice/add interface. Attackers can inject malicious scripts to compromise users. This post covers technical details, impact, and mitigation.

Published:

CVE-2026-37216 Overview

CVE-2026-37216 is a stored Cross-Site Scripting (XSS) vulnerability affecting RuoYi version 4.8.2. The flaw resides in the /system/notice/add interface, which fails to properly sanitize user-supplied input before rendering it in the application UI. RuoYi is an open-source Java-based rapid development platform widely used to build enterprise management systems in China. Attackers can inject malicious JavaScript payloads through the notice creation feature. When other authenticated users view the affected notice, the injected script executes in their browser session. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

Critical Impact

Successful exploitation enables session hijacking, credential theft, and unauthorized actions performed in the context of victim users browsing the compromised notice page.

Affected Products

  • RuoYi 4.8.2
  • RuoYi /system/notice/add administrative interface
  • Downstream applications built on the RuoYi framework at version 4.8.2

Discovery Timeline

  • 2026-06-15 - CVE-2026-37216 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-37216

Vulnerability Analysis

The vulnerability is a stored XSS condition in the notice management module of RuoYi 4.8.2. The /system/notice/add endpoint accepts notice content from authenticated users without applying sufficient output encoding or HTML sanitization. Submitted content is persisted in the database and later rendered back to any user who views the notice list or detail view. Because the malicious payload executes within the trusted origin of the RuoYi application, attackers can abuse the browser session of victim users. Typical post-exploitation activity includes stealing session cookies, forging requests against administrative endpoints, and pivoting toward higher-privileged accounts.

Root Cause

The root cause is missing or inadequate input neutralization on notice fields submitted to /system/notice/add. The application stores raw HTML and JavaScript content and emits it back into the DOM without context-aware encoding. This pattern matches CWE-79, where untrusted input is reflected into a web page without escaping characters such as <, >, ", and '. RuoYi's notice rendering path does not enforce a strict Content Security Policy that would otherwise mitigate inline script execution.

Attack Vector

Exploitation requires network access to the RuoYi web interface and a user with permission to create notices. The attacker submits a crafted notice containing a JavaScript payload through the /system/notice/add request. User interaction is required because a victim user must view the malicious notice. Once rendered, the script runs with the privileges of the viewing user, including any administrator who reviews recently posted notices. Refer to the GitHub Issue Discussion for additional technical context on the affected endpoint.

Detection Methods for CVE-2026-37216

Indicators of Compromise

  • Notice records in the sys_notice table containing <script>, onerror=, onload=, or javascript: substrings in the title or content fields.
  • Outbound HTTP requests from administrator browsers to attacker-controlled domains immediately after viewing the notice center.
  • Unexpected creation or modification of administrative accounts following access to the notice module.

Detection Strategies

  • Inspect application logs for POST requests to /system/notice/add containing HTML tags or JavaScript event handlers in request bodies.
  • Deploy a web application firewall rule that flags XSS signatures targeting the notice endpoint.
  • Perform periodic database audits on notice content fields searching for script tags or encoded variants.

Monitoring Recommendations

  • Enable verbose access logging on the /system/notice/* route and forward logs to a centralized SIEM for correlation.
  • Alert on administrative session anomalies such as new IP addresses or impossible-travel events following notice views.
  • Monitor CSP violation reports if a reporting endpoint is configured for the RuoYi front end.

How to Mitigate CVE-2026-37216

Immediate Actions Required

  • Restrict access to the notice creation interface to a minimal set of trusted administrators until a patch is available.
  • Review and remove any existing notices that contain HTML tags, JavaScript, or suspicious encoded payloads.
  • Audit administrative accounts for unexpected creation, role changes, or activity originating from unfamiliar locations.

Patch Information

No official vendor patch is referenced in the NVD entry at publication. Track the upstream project and the GitHub Issue Discussion for fix availability. Once a fixed release is published, upgrade RuoYi from 4.8.2 to the patched version across all environments.

Workarounds

  • Implement server-side input validation that rejects HTML tags and JavaScript event handlers in notice title and content fields.
  • Apply context-aware output encoding when rendering notice data in templates, escaping <, >, ", ', and &.
  • Deploy a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
  • Place the RuoYi application behind a WAF with XSS filtering enabled for the /system/notice/ path.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.