Is there a public PoC exploit available for CVE-2025-7902?

Yes, a public proof-of-concept exploit is available for CVE-2025-7902. Prioritise patching immediately. EPSS: 0.1%.

RuoYi CVE-2025-7902

Q: What is the CVSS score of CVE-2025-7902?

CVE-2025-7902 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-07-20 cna@vuldb.com

XSS Ruoyi

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:25 vuln.today

DescriptionCVE.org

A vulnerability classified as problematic has been found in yangzongzhuan RuoYi up to 4.8.1. Affected is the function addSave of the file com/ruoyi/web/controller/system/SysNoticeController.java. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Stored cross-site scripting (XSS) in RuoYi up to version 4.8.1 allows authenticated users to inject malicious scripts via the SysNoticeController.addSave function, compromising integrity of system notices. The vulnerability requires user interaction and authenticated access but has a publicly available proof-of-concept. With an EPSS score of 0.05%, exploitation remains unlikely in practice despite the public disclosure.

Technical ContextAI

The vulnerability exists in the com/ruoyi/web/controller/system/SysNoticeController.java file, specifically in the addSave method responsible for handling notice creation. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input is not properly sanitized before being stored and rendered in the web interface. RuoYi, an open-source Java-based rapid development framework, fails to perform adequate output encoding or input validation on the notice content parameter, allowing attackers to embed JavaScript payloads that execute when other users view the stored notice.

RemediationAI

Apply the security patch released by the RuoYi project following the public disclosure on GitHub issue #294 (https://github.com/yangzongzhuan/RuoYi/issues/294). Upgrade to version 4.8.2 or later once available. If an immediate patch is unavailable, implement input validation and output encoding in the SysNoticeController.addSave method to sanitize notice content before storage, using a Java HTML sanitizer library such as OWASP ESAPI or HtmlCleaner. Alternatively, restrict notice creation to trusted administrative users only by implementing stricter role-based access control (RBAC) on the notice management endpoint. Additionally, implement Content Security Policy (CSP) headers to mitigate XSS impact at the browser level, though this does not eliminate the underlying vulnerability. Each workaround carries trade-offs: input sanitization may alter legitimate notice formatting, access restrictions reduce functionality, and CSP alone leaves the stored payload intact.

CVE-2025-7902 vulnerability details – vuln.today

Back