Is there a public PoC exploit available for CVE-2025-7903?

Yes, a public proof-of-concept exploit is available for CVE-2025-7903. Prioritise patching immediately. EPSS: 0.0%.

RuoYi CVE-2025-7903

Q: What is the CVSS score of CVE-2025-7903?

CVE-2025-7903 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Restriction of Rendered UI Layers or Frames (CWE-1021)

2025-07-20 cna@vuldb.com

XSS Ruoyi

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:25 vuln.today

DescriptionCVE.org

A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the component Image Source Handler. The manipulation leads to improper restriction of rendered ui layers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Improper restriction of rendered UI layers in RuoYi up to version 4.8.1 allows authenticated remote attackers to manipulate image source handling, leading to unauthorized UI layer visibility or modification. The CVSS score of 2.1 reflects limited integrity impact requiring authenticated access, but the low EPSS score (0.05%, 15th percentile) suggests this vulnerability has minimal real-world exploitation probability despite publicly available exploit code.

Technical ContextAI

The vulnerability resides in the Image Source Handler component of RuoYi, a Java-based rapid development framework. CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) indicates the root cause is inadequate control over which UI elements are presented to users, potentially exposing sensitive information or allowing unauthorized modifications through improper layer isolation. The CVSSv4 vector (AV:N/AC:L/PR:L) specifies network-accessible exploitation requiring low authentication privileges, suggesting this affects authenticated users with minimal escalation requirements.

RemediationAI

Upgrade RuoYi to a patched version released after 4.8.1; however, the specific patched version number is not confirmed in available references. Organizations should consult the official RuoYi GitHub repository (https://github.com/yangzongzhuan/RuoYi) and issue tracker (https://github.com/yangzongzhuan/RuoYi/issues/295) for the latest available release. As an interim compensating control, restrict image source handler functionality to non-sensitive UI elements or disable dynamic image loading in authenticated sessions if operationally feasible. Implement Content Security Policy (CSP) headers to restrict UI layer manipulation and XSS-related attacks. Monitor authenticated user sessions for unusual image source requests or UI modification attempts. These controls reduce attack surface while waiting for official patched releases.

CVE-2025-7903 vulnerability details – vuln.today

Back