Share
## https://sploitus.com/exploit?id=080D89A8-931F-5742-97F7-100F4C93420B
# CVE_APPLY โ Enterprise Open Source Software Security Audit Reports
This repository collects vulnerability reports discovered during code audits of enterprise-level open source software, intended for subsequent CVE submissions and disclosures. ## Report Index
### Published Reports
| Number | Product | Vulnerability Type | Severity |
|-------|-------|--------------|---------|
| V-006 | (Internal) SVG Storage XSS | XSS | High |
| V-009 | (Internal) mLogin Captcha Bypass | Authentication Bypass | High |
| V-R001 | RuoYi v4.8.3 | Announcement Module Storage XSS | Medium |
| V-C001 | CRMEB Java v1.4 | Unauthorized SQL Injection | Severe |
| V-W001 | Wukong CRM | JFinal Template SQL Injection | Severe |
| V-J010 | JeecgBoot v3.5.3 | SqlInjectionUtil Filter Bypass | High |
### New Reports (April 14, 2026)
| Number | Product | Vulnerability Type | Severity |
|-------|-------|--------------|---------|
| V-Y001 | yshop/ZkMall | Hardcoded Backdoor Token + Unauthorized Payment | Severe |
| V-L001 | Lilishop | Hardcoded JWT Signature Key | Severe |
| V-J011 | J2eeFast | Shiro Hardcoded RememberMe Key RCE | Severe |
| V-P001 | pig Microservices | @Inner Internal Authentication Header Bypass | Severe |
| V-M001 | MaxKey IAM | Multiple ${filters}/${orgIdsList} SQLi | Severe |
| V-D001 | DataEase | SqlVariable transFilter SQL Injection | Severe |
| V-YU001 | yudao-cloud | BrokerageUser ORDER BY Injection | High |
| V-G001 | Guns Roses | Unauthorized File Preview Path Traversal | Severe |
## Report Structure
Each vulnerability is located in a separate directory: `V-XXX_ProductName_VulnerabilityDescription/`.
- `README.md` โ Vulnerability details: summary, analysis, proof-of-concept, recommendations for fixes
- `*.*png` (optional) โ Verification screenshots, response packets, stack information
- `*.*py|*.*sh` (optional) โ Proof-of-concept scripts
## Disclaimer
The content of this repository is intended solely for security research and responsible disclosure purposes. It must not be used for unauthorized attacks.