Ruoyi Security Vulnerabilities (CVEs)
Track 29 security vulnerabilities affecting Ruoyi products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability in RuoYi v4.8.2 allows unauthorized attackers to bypass access controls in the selectDept function, enabling them to access sensiti...
Jan 23, 2026This vulnerability in RuoYi v4.8.2 allows unauthorized attackers to modify data they shouldn't have access to due to improper access control in the up...
Jan 23, 2026This vulnerability allows remote attackers to execute arbitrary code on RuoYi systems up to version 4.8.1 through code injection in the /monitor/cache...
Dec 18, 2025RuoYi versions 4.8.1 and earlier contain a stored cross-site scripting (XSS) vulnerability in the menu editing endpoint. Attackers with menu modificat...
Dec 12, 2025Ruoyi v4.8.0 has an incorrect access control vulnerability where the authRole method in SysUserController.java lacks a checkUserDataScope permission c...
Nov 26, 2025This vulnerability in Ruoyi 4.8.1 allows attackers to escalate privileges by exploiting a flaw where the owning department has higher rights than the ...
Nov 26, 2025Ruoyi v4.8.0 has an incorrect access control vulnerability in the resetPwd method that allows unauthorized password resets. Attackers can reset passwo...
Nov 26, 2025This vulnerability in yangzongzhuan RuoYi up to version 4.8.1 allows attackers to bypass authorization controls by manipulating the userIds parameter ...
Sep 26, 2025This SQL injection vulnerability in RuoYi's blacklist handler allows attackers to execute arbitrary SQL commands on affected systems. It affects RuoYi...
Sep 15, 2025This vulnerability in RuoYi up to version 4.8.1 involves the use of default credentials in the Druid component configuration file. Attackers can remot...
Jul 20, 2025This critical vulnerability in RuoYi allows attackers to upload arbitrary files without restrictions via the uploadFile function. Remote attackers can...
Jul 20, 2025This vulnerability in RuoYi's Image Source Handler allows attackers to bypass UI layer restrictions, potentially enabling unauthorized interface manip...
Jul 20, 2025This vulnerability allows attackers to inject malicious scripts via the configUrl parameter in Swagger UI within RuoYi systems. When exploited, it ena...
Jul 20, 2025A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain administrative privileges. The cancelAuthUserAll method fails to...
Apr 7, 2025A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges through the /editSave method in SysNoticeCon...
Apr 7, 2025A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges by manipulating the menuId parameter. This a...
Apr 7, 2025A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges by manipulating the jobId parameter. This af...
Apr 7, 2025A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges through the changeStatus method. This affect...
Apr 7, 2025This vulnerability in RUoYi v4.8.0 allows remote attackers to escalate privileges by exploiting improper permission validation in the /edit/{dictId} e...
Apr 7, 2025A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges by exploiting improper validation of the dep...
Apr 7, 2025CVE-2024-57436 is a session ID exposure vulnerability in RuoYi v4.8.0 that allows unauthorized attackers to view admin session IDs through system moni...
Jan 29, 2025RuoYi v4.8.0 contains a SQL injection vulnerability in the orderby parameter at the /monitor/online/list endpoint. This allows attackers to execute ar...
Jan 29, 2025This vulnerability in RuoYi v4.8.0 allows administrators to cause a Denial of Service (DoS) by duplicating login names during password resets. The att...
Jan 29, 2025This vulnerability in RuoYi up to version 4.8.0 allows remote attackers to execute arbitrary code through deserialization in the getBeanName function ...
Jan 27, 2025RuoYi v4.7.9 and earlier contains a code injection vulnerability in the code generation feature that allows attackers to escape from comments and exec...
Oct 7, 2024This cross-site scripting (XSS) vulnerability in Ruoyi's code generation tool allows attackers to inject malicious scripts via the sql parameter. When...
Aug 28, 2024RuoYi versions up to 4.6 contain a SQL injection vulnerability in the /system/dept/edit endpoint that allows attackers to execute arbitrary SQL comman...
Dec 1, 2023This vulnerability in RuoYi's CookieRememberMeManager allows remote attackers to escalate privileges by exploiting improper deserialization of remembe...
Aug 11, 2023RuoYi v4.7.2 contains a CSV injection vulnerability in the admin module that allows attackers to embed malicious formulas in exported Excel log files....
Mar 30, 2022Why Monitor Ruoyi Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 29+ known vulnerabilities affecting Ruoyi products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Ruoyi packages in under 60 seconds. No agents required - completely agentless scanning that works across Ruoyi deployments.
Free vulnerability database: Access detailed information about every Ruoyi CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Ruoyi CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
