CVE-2025-46174

HIGH

Ruoyi - Missing Authorization

Title source: rule

Description

Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.

Exploits (1)

gitee 47,892 stars
by y_project · javawriteup
https://gitee.com/y_project/RuoYi/issues/IC1JZR

References (3)

Scores

CVSS v3 7.5
EPSS 0.0004
EPSS Percentile 11.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-284 CWE-862
Status published
Products (1)
ruoyi/ruoyi 4.8.0
Published Nov 26, 2025
Tracked Since Feb 18, 2026