CVE-2025-67342

MEDIUM

RuoYi < 4.8.1 - Stored Cross-Site Scripting in /system/menu/edit Endpoint

Title source: llm

Description

RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability.

References (1)

Core 1

Core References

Exploit, Third Party Advisory, Issue Tracking

https://github.com/yangzongzhuan/RuoYi/issues/308

Scores

CVSS v3 4.6

EPSS 0.0015

EPSS Percentile 4.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

ruoyi/ruoyi < 4.8.1

Published Dec 12, 2025

Tracked Since Feb 18, 2026