Stored XSS Vulnerability in RuoYi Versions by Yangzongzhuan
CVE-2025-67342

4.6MEDIUM

Key Information:

Vendor: Yangzongzhuan
Status: RuoYi
Vendor: CVE Published:; 12 December 2025

🔔 Create Yangzongzhuan Vulnerability Alert

What is CVE-2025-67342?

RuoYi versions up to 4.8.1 have a stored XSS vulnerability in the /system/menu/edit endpoint. Although an XSS filter is in place, it is ineffective against certain bypass techniques. This flaw poses a serious risk, as any user with permissions to modify the menu can exploit this vulnerability, impacting all other users by injecting malicious scripts into the shared menu.

References

https://github.com/yangzongzhuan/RuoYi/issues/308

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Dec 8, 2025

CVE-2025-67342 Data

JSON