CVE-2025-28409

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/parentId endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified parentId...

CVE-2025-28412

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController...

CVE-2025-28410

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly validate whether the requesting user has administrative privileges...

CVE-2025-28405

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method...

CVE-2025-28402

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter...

CVE-2025-28401

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the menuId parameter...

CVE-2025-28406

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter...

CVE-2025-28407

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/dictId endpoint does not properly validate whether the requesting user has permission to modify the specified dictId...

PT-2025-15239 · Ruoyi · Ruoyi

Name of the Vulnerable Software and Affected Versions: RUoYi version 4.8.0 Description: An issue in RUoYi allows a remote attacker to escalate privileges via the menuId parameter. Recommendations: For RUoYi version 4.8.0, as a temporary workaround, consider restricting access to the vulnerable...

PT-2025-15247 · Ruoyi · Ruoyi

Name of the Vulnerable Software and Affected Versions: RUoYi version 4.8.0 Description: An issue in RUoYi allows a remote attacker to escalate privileges via the edit method of the "/edit/dictId" endpoint, which does not properly validate whether the requesting user has permission to modify the...

PT-2025-15245 · Ruoyi · Ruoyi

Name of the Vulnerable Software and Affected Versions: RUoYi version 4.8.0 Description: An issue in RUoYi allows a remote attacker to escalate privileges via the changeStatus method. Recommendations: For RUoYi version 4.8.0, consider disabling the changeStatus method until a patch is available...

PT-2025-15252 · Ruoyi · Ruoyi

Name of the Vulnerable Software and Affected Versions: RUoYi version 4.8.0 Description: An issue in RUoYi allows a remote attacker to escalate privileges via the "/editSave" method in SysNoticeController. Recommendations: For RUoYi version 4.8.0, as a temporary workaround, consider disabling the...

RuoYi has insecure permissions

Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles...

GHSA-QQ5H-RJJ9-Q9QG RuoYi vulnerable to Denial of Service by attackers with admin privileges

An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service DoS by duplicating the login name of the account...

RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring

RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie...

PT-2025-3445 · Ruoyi · Ruoyi

Name of the Vulnerable Software and Affected Versions: RuoYi version 4.8.0 Description: The issue concerns insecure permissions that allow authenticated attackers to escalate privileges by assigning themselves higher level roles. Recommendations: For RuoYi version 4.8.0, update the permissions to...

CVE-2024-54762

Ruoyi v.4.7.9 and before contains an authenticated SQL injection vulnerability. This is because the filterKeyword method does not completely filter SQL injection keywords, resulting in the risk of SQL injection...

PT-2025-3068 · Ruoyi · Ruoyi

Name of the Vulnerable Software and Affected Versions: Ruoyi versions 4.7.9 and earlier Description: The issue is related to an authenticated SQL injection risk. This occurs because the filterKeyword method does not fully filter SQL injection keywords, leading to a potential SQL injection risk...

CVE-2024-42900

Ruoyi v4.7.9 and before was discovered to contain a cross-site scripting XSS vulnerability via the sql parameter of the createTable function at /tool/gen/create...

CVE-2024-41599

Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method...