Dromara Ruoyi-Vue-Plus vulnerabilities
4 known vulnerabilities affecting dromara/ruoyi-vue-plus.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2025-6925P2CRITICALCVSS 9.1v5.4.02025-06-30
CVE-2025-6925 [CRITICAL] CWE-22 CVE-2025-6925: A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected
A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/controller/MailController.java of the component Mail Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched rem
nvd
CVE-2025-66916P2CRITICALCVSS 9.4≤ 5.5.12026-01-08
CVE-2025-66916 [CRITICAL] CWE-94 CVE-2025-66916: The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/c
The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing.
nvd
CVE-2026-2819P3MEDIUMCVSS 6.3v5.5.0v5.5.1+2 more2026-02-20
CVE-2026-2819 [MEDIUM] CWE-862 CVE-2026-2819: A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the
A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit is publicly available and might be used. Th
nvd
CVE-2026-58176P3MEDIUMCVSS 6.5≤ 5.6.22026-06-30
CVE-2026-58176 [MEDIUM] CWE-862 CVE-2026-58176: RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints un
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authentication. Any authenticated user, regardless of assig
nvd