Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-57950— ruoyi-vue-pro - Incorrect Permission Namespace in ErpSaleOrderController

CVSS 8.1 · High EPSS 0.29% · P21

Possible ATT&CK Techniques 1AI

T1528 · Steal Application Access Token

Affected Version Matrix 2

VendorProductVersion RangeStatus
Yunairuoyi-vue-pro≤ 2026.05affected
5d1fd70dc3e61bf64e7ce3328a71cc60001175c6unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-57950

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ruoyi-vue-pro - Incorrect Permission Namespace in ErpSaleOrderController
Source: NVD (National Vulnerability Database)
Vulnerability Description
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
YunaiV ruoyi-vue-pro 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
YunaiV ruoyi-vue-pro是YunaiV个人开发者的一款开发框架软件。 YunaiV ruoyi-vue-pro 2026.05及之前版本存在授权问题漏洞,该漏洞源于ErpSaleOrderController权限命名空间执行错误,可能导致具有erp:sale-out权限的攻击者未经授权访问销售订单操作。以下版本受到影响:2026.05及之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Yunairuoyi-vue-pro 0 ~ 2026.05 -

II. Public POCs for CVE-2026-57950

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 6947 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-57950

登录查看更多情报信息。

Patches & Fixes for CVE-2026-57950 (1)

Vendor Advisories for CVE-2026-57950 (1)

Other References for CVE-2026-57950 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-57950

No comments yet


Leave a comment