Ruoyi 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk cross-site scripting and vendor risk sql injection などに関し、一部は vendor impact data exposure を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-70986 | Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. | [email protected] | 7.5 | 0.40% | 2026-01-23 | 2026-01-30 |
| CVE-2025-70985 | Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope. | [email protected] | 9.1 | 0.38% | 2026-01-23 | 2026-01-30 |
| CVE-2024-57521 | SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java. | [email protected] | 10.0 | 0.59% | 2025-12-23 | 2026-01-06 |
| CVE-2025-14856 | A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file /monitor/cache/getnames. Such manipulation of the argument fragment leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | [email protected] | 2.1 | 0.38% | 2025-12-18 | 2026-04-29 |
| CVE-2025-67342 | RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability. | [email protected] | 4.6 | 0.15% | 2025-12-12 | 2025-12-19 |
| CVE-2025-46175 | Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java. | [email protected] | 7.5 | 0.26% | 2025-11-26 | 2025-12-04 |
| CVE-2025-56396 | An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user. | [email protected] | 8.8 | 0.27% | 2025-11-26 | 2025-12-04 |
| CVE-2025-46174 | Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | [email protected] | 7.5 | 0.26% | 2025-11-26 | 2025-12-04 |
| CVE-2025-10989 | A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This vulnerability affects unknown code of the file /system/role/authUser/selectAll. Performing manipulation of the argument userIds results in improper authorization. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.36% | 2025-09-26 | 2026-04-29 |
| CVE-2025-10473 | A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This impacts the function filterKeyword of the file /com/ruoyi/common/utils/sql/SqlUtil.java of the component Blacklist Handler. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | [email protected] | 2.1 | 0.37% | 2025-09-15 | 2026-04-29 |
| CVE-2025-10384 | A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.34% | 2025-09-13 | 2026-04-29 |
| CVE-2025-8847 | A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is the function Edit of the file /system/notice/edit. The manipulation of the argument noticeTitle/noticeContent leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 2.0 | 0.30% | 2025-08-11 | 2026-04-29 |
| CVE-2025-7907 | A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. It has been classified as problematic. Affected is an unknown function of the file ruoyi-admin/src/main/resources/application-druid.yml of the component Druid. The manipulation leads to use of default credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 2.1 | 0.40% | 2025-07-20 | 2026-04-29 |
| CVE-2025-7906 | A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1 and classified as critical. This issue affects the function uploadFile of the file ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 2.1 | 0.29% | 2025-07-20 | 2026-04-29 |
| CVE-2025-7903 | A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the component Image Source Handler. The manipulation leads to improper restriction of rendered ui layers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 2.1 | 0.15% | 2025-07-20 | 2026-04-29 |
| CVE-2025-7902 | A vulnerability classified as problematic has been found in yangzongzhuan RuoYi up to 4.8.1. Affected is the function addSave of the file com/ruoyi/web/controller/system/SysNoticeController.java. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 2.0 | 0.25% | 2025-07-20 | 2026-04-29 |
| CVE-2025-7901 | A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. It has been rated as problematic. This issue affects some unknown processing of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. The attack may be initiated remotely. | [email protected] | 5.3 | 0.70% | 2025-07-20 | 2025-09-11 |
| CVE-2025-4819 | A vulnerability classified as problematic has been found in y_project RuoYi 4.8.0. Affected is an unknown function of the file /monitor/online/batchForceLogout of the component Offline Logout. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | [email protected] | 2.3 | 0.37% | 2025-05-17 | 2025-10-10 |
| CVE-2025-4537 | A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Affected by this issue is some unknown functionality of the file ruoyi-ui/jsencrypt.js and ruoyi-ui/login.vue of the component Password Handler. The manipulation leads to cleartext storage of sensitive information in a cookie. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may | [email protected] | 2.3 | 0.24% | 2025-05-11 | 2025-07-08 |
| CVE-2025-28413 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component | [email protected] | 9.8 | 0.54% | 2025-04-07 | 2025-04-09 |