CVE-2025-66916

Published: Jan 8, 2026

Modified: Jan 8, 2026

PUBLISHED

Description

The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://gitee.com/dromara/RuoYi-Vue-Plus

https://github.com/Catherines77/code-au/blob/main/ruoyi-vue-plus/QLExpress.md

https://gist.github.com/Catherines77/e3f06b9c4cc6298579e858088a243c3d

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-66916

Description

Affected Products

References