CVE-2025-10384 | yangzongzhuan RuoYi up to 4.8.1 Role cancelAll roleId/userIds improper authorization

A vulnerability described as critical has been identified in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization.

This vulnerability appears as CVE-2025-10384. The attack may be performed from remote. In addition, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-10384 | yangzongzhuan RuoYi up to 4.8.1 Role cancelAll roleId/userIds improper authorization

Post correlati

CVE-2023-47712 | IBM Security Guardium 11.3/11.4/11.5/12.0 improper ownership management (XFDB-271527)

CVE-2025-5080 | Tenda FH451 1.0.0.9 webExcptypemanFilter page stack-based overflow

CVE-2025-4279 | External Image Replace Plugin up to 1.0.8 on WordPress replace_post unrestricted upload

CVE-2025-7766 | Lantronix Provisioning Manager AV xml external entity reference (icsa-25-203-02)