Product
ruoyi
59 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-70986
CVE-2025-70985
CVE-2024-57521
CVE-2025-14856
CVE-2025-67342
CVE-2025-46175
CVE-2025-56396
CVE-2025-46174
CVE-2025-10989
CVE-2025-10473
CVE-2025-10384
CVE-2025-8847
CVE-2025-7907
CVE-2025-7906
CVE-2025-7903
CVE-2025-7902
CVE-2025-7901
CVE-2025-4819
CVE-2025-4537
CVE-2025-28413
CVE-2025-28412
CVE-2025-28411
CVE-2025-28410
CVE-2025-28409
CVE-2025-28408
CVE-2025-28407
CVE-2025-28406
CVE-2025-28405
CVE-2025-28403
CVE-2025-28402
CVE-2025-28401
CVE-2025-28400
CVE-2024-57439
CVE-2024-57438
CVE-2024-57437
CVE-2024-57436
CVE-2025-0734
CVE-2024-54762
CVE-2024-46076
CVE-2024-9048
CVE-2024-42900
CVE-2024-42913
CVE-2024-41599
CVE-2024-6511
CVE-2024-29400
CVE-2023-52048
CVE-2023-7133
CVE-2023-49371
CVE-2021-28411
CVE-2023-3815
CVE-2023-3163
CVE-2023-27025
CVE-2022-48114
CVE-2021-38241
CVE-2022-4566
CVE-2022-4348
CVE-2022-32065
CVE-2022-23869
CVE-2022-23868
all versions
Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive
all versions
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside o
<= 4.7.9
SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable fun
<= 4.8.1
A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file
<= 4.8.1
RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint i
all versions
Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole met
all versions
An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher
all versions
Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method
<= 4.8.1
A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This vulnerability affects unknown code of the file /syste
<= 4.8.1
A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This impacts the function filterKeyword of the file /com/r
<= 4.8.1
A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /
<= 4.8.1
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is the function Edit of the file /sys
<= 4.8.1
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. It has been classified as problematic. Affected is an unknown functi
<= 4.8.1
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1 and classified as critical. This issue affects the function uploadFil
<= 4.8.1
A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unkno
<= 4.8.1
A vulnerability classified as problematic has been found in yangzongzhuan RuoYi up to 4.8.1. Affected is the function addSave of t
<= 4.8.1
A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. It has been rated as problematic. This issue affects some unknown pr
all versions
A vulnerability classified as problematic has been found in y_project RuoYi 4.8.0. Affected is an unknown function of the file /mo
<= 3.8.9
A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Affected by this issue is some unk
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method in /tool/gen/editSave
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly valid
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/{parentId} endpoint does
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the selectDeptTree method of the /selectDeptTree/{de
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/{dictId} endpoint does
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method does not properly validate wheth
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the menuId parameter
all versions
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the postID parameter in the edit method
all versions
An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS)
all versions
Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level ro
all versions
RuoYi v4.8.0 was discovered to contain a SQL injection vulnerability via the orderby parameter at /monitor/online/list.
all versions
RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This iss
<= 4.8.0
A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function
<= 4.7.9
Ruoyi v.4.7.9 and before contains an authenticated SQL injection vulnerability. This is because the filterKeyword method does not
<= 4.7.9
RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the in
<= 4.7.9
A vulnerability was found in y_project RuoYi up to 4.7.9. It has been declared as problematic. Affected by this vulnerability is t
<= 4.7.9
Ruoyi v4.7.9 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the sql parameter of the createTa
all versions
RuoYi CMS v4.7.9 was discovered to contain a SQL injection vulnerability via the job_id parameter at /sasfs1.
<= 4.7.9
Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upl
<= 4.7.9
A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Affected by this vulnerability is the function
all versions
An issue was discovered in RuoYi v4.5.1, allows attackers to obtain sensitive information via the status parameter.
all versions
RuoYi v4.7.8 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/notice/.
all versions
A vulnerability was found in y_project RuoYi 4.7.8. It has been declared as problematic. This vulnerability affects unknown code o
<= 4.6.0
RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.
all versions
An issue was discovered in getRememberedSerializedIdentity function in CookieRememberMeManager class in lerry903 RuoYi version 3.4
<= 4.7.7
A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the
<= 4.7.7
A vulnerability was found in y_project RuoYi up to 4.7.7. It has been classified as problematic. Affected is the function filterKe
<= 4.7.6
An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to downloa
<= 4.7.5
RuoYi up to v4.7.5 was discovered to contain a SQL injection vulnerability via the component /tool/gen/createTable.
< 4.6.1
Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro fram
all versions
A vulnerability, which was classified as critical, has been found in y_project RuoYi 4.7.5. This issue affects some unknown proces
all versions
A vulnerability was found in y_project RuoYi-Cloud. It has been rated as problematic. Affected by this issue is some unknown funct
<= 4.7.3
An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute a
all versions
In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of us
all versions
RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.