Key Information Vulnerability Description Vulnerability Type: Arbitrary File Upload Vulnerability Affected System: ruoyi-ai system Risk: Allows attackers to upload malicious files to any path on the server, potentially leading to arbitrary code execution and arbitrary file overwriting. Vulnerability Analysis Entry Points: - - Critical Code: Issue: The function directly uses user-controlled file names and extensions as the final file path and name for saving on the server, without any security checks, resulting in a typical file upload vulnerability. Vulnerability Verification POC: Security Recommendations Restrict uploaded file types and validate file extensions to prevent uploading malicious payloads. Strictly limit the upload file path; avoid using frontend-provided file name information to construct the final file storage path.