CVE-2025-70986
Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.
CVE-2025-70985
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.
CVE-2024-57521
SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java.
CVE-2025-14856
A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file /monitor/cache/getnames. Such manipulation of the argument fragment leads to code injection. The attack can b…
CVE-2025-67342
RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across…
CVE-2025-46175
Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.
CVE-2025-56396
An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user.
CVE-2025-46174
Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
CVE-2025-10989
A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This vulnerability affects unknown code of the file /system/role/authUser/selectAll. Performing manipulation of the argument userIds results in improper authorization.…
CVE-2025-10473
A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This impacts the function filterKeyword of the file /com/ruoyi/common/utils/sql/SqlUtil.java of the component Blacklist Handler. The manipulation results in sql injecti…
CVE-2025-10384
A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/us…
CVE-2025-8847
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is the function Edit of the file /system/notice/edit. The manipulation of the argument noticeTitle/noticeContent leads to cross site scripting. The…
CVE-2025-7907
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. It has been classified as problematic. Affected is an unknown function of the file ruoyi-admin/src/main/resources/application-druid.yml of the component Druid. The manipulation l…
CVE-2025-7906
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1 and classified as critical. This issue affects the function uploadFile of the file ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java. The manipulatio…
CVE-2025-7903
A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the component Image Source Handler. The manipulation leads to improper restriction of rend…
CVE-2025-7902
A vulnerability classified as problematic has been found in yangzongzhuan RuoYi up to 4.8.1. Affected is the function addSave of the file com/ruoyi/web/controller/system/SysNoticeController.java. The manipulation leads to cross site scripti…
CVE-2025-7901
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. It has been rated as problematic. This issue affects some unknown processing of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument conf…
CVE-2025-4819
A vulnerability classified as problematic has been found in y_project RuoYi 4.8.0. Affected is an unknown function of the file /monitor/online/batchForceLogout of the component Offline Logout. The manipulation of the argument ids leads to i…
CVE-2025-28413
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component
CVE-2025-28412
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController