{"id":"CVE-2025-56769","details":"An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class.","aliases":["GHSA-gcfh-36x4-mgj6"],"modified":"2026-03-09T23:56:07.290231Z","published":"2025-09-25T23:15:54.773Z","references":[{"type":"FIX","url":"https://github.com/chinabugotech/hutool/issues/3994"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dromara/hutool","events":[{"introduced":"0"},{"fixed":"2d5fcc3b0883096a562e4bb1e9b14e712b1b556a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.8.40"}]}}],"versions":["4.6.2","4.6.3","4.6.4","4.6.5","4.6.6","4.6.7","4.6.8","4.6.9","5.0.0","5.0.1","5.0.2","5.0.3","5.0.5","5.0.6","5.0.7","5.1.0","5.1.1","5.1.2","5.1.3","5.1.4","5.1.5","5.2.0","5.2.1","5.2.2","5.2.3","5.2.4","5.2.5","5.3.0","5.3.1","5.3.10","5.3.2","5.3.3","5.3.4","5.3.5","5.3.6","5.3.7","5.3.8","5.3.9","5.4.0","5.4.1","5.4.2","5.4.3","5.4.4","5.4.5","5.4.6","5.4.7","5.5.0","5.5.1","5.5.2","5.5.3","5.5.4","5.5.5","5.5.6","5.5.7","5.5.8","5.5.9","5.6.0","5.6.1","5.6.2","5.6.3","5.6.5","5.6.6","5.6.7","5.7.0","5.7.1","5.7.10","5.7.11","5.7.12","5.7.13","5.7.14","5.7.15","5.7.16","5.7.17","5.7.18","5.7.19","5.7.2","5.7.20","5.7.21","5.7.22","5.7.3","5.7.4","5.7.5","5.7.6","5.7.7","5.7.8","5.7.9","5.8.0","5.8.0.M1","5.8.0.M2","5.8.0.M4","5.8.1","5.8.10","5.8.11","5.8.12","5.8.13","5.8.14","5.8.15","5.8.17","5.8.19","5.8.2","5.8.20","5.8.21","5.8.22","5.8.23","5.8.24","5.8.25","5.8.26","5.8.27","5.8.28","5.8.29","5.8.3","5.8.30","5.8.31","5.8.32","5.8.33","5.8.34","5.8.35","5.8.36","5.8.37","5.8.38","5.8.39","5.8.4","5.8.5","5.8.6","5.8.7","5.8.8","5.8.9","test"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-56769.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}