What is the CVSS score of CVE-2025-70986?

CVE-2025-70986 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Ruoyi are affected by CVE-2025-70986?

CVE-2025-70986 affects RuoYi v4.8.2 deployments, allowing unauthorized attackers to bypass access controls and access sensitive department data without proper authentication.

Is there a public PoC exploit available for CVE-2025-70986?

Yes, a public proof-of-concept exploit is available for CVE-2025-70986. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-70986?

Within 24 hours: Identify and inventory all RuoYi v4.8.2 instances in production and non-production environments; disable the selectDept function if operationally feasible or restrict network access to it. Within 7 days: Implement WAF rules to block suspicious selectDept requests; conduct access logs review for unauthorized department data access attempts; notify affected business units of potential exposure. Within 30 days: Upgrade to patched RuoYi version when available; perform comprehensive security audit of department data access logs; implement additional authentication/authorization controls on sensitive API endpoints.

Ruoyi CVE-2025-70986

HIGH

Improper Access Control (CWE-284)

2026-01-23 cve@mitre.org

Authentication Bypass Ruoyi

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 30, 2026 - 21:26 vuln.today

Public exploit code

CVE Published

Jan 23, 2026 - 19:15 nvd

HIGH 7.5

DescriptionCVE.org

Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.

AnalysisAI

Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. [CVSS 7.5 HIGH]

Technical ContextAI

Classified as CWE-284 (Improper Access Control). Affects the selectDept component of Ruoyi. Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-70986 vulnerability details – vuln.today

Back

Ruoyi CVE-2025-70986

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code