A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2 . It has been rated as critical . Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint . Performing a manipulation results in unrestricted upload. This vulnerability is reported as CVE-2026-9374 . The attack is possible to be carried out remotely. No exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.