CVE-2025-28410

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly validate whether the requesting user has administrative privileges
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
VendorProductVersion
ruoyiruoyi
4.8.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/20210607/cve_public/blob/main/ruoyi_case/CVE-2025-28409.md
https://github.com/yangzongzhuan/RuoYi
https://github.com/20210607/cve_public/blob/main/ruoyi_case/CVE-2025-28409.md