CVE-2025-28407

Name of the Vulnerable Software and Affected Versions RUoYi version 4.8.0

Description The issue allows a remote attacker to escalate privileges via the edit method of the "/edit/{dictId}" endpoint, which does not properly validate whether the requesting user has permission to modify the specified dictId.

Recommendations For RUoYi version 4.8.0, as a temporary workaround, consider restricting access to the "/edit/{dictId}" endpoint until a patch is available. Avoid using the dictId variable in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.