CVE-2025-10276 MEDIUM

CVE-2025-10276: YunaiV ruoyi-vue-pro transfer improper authorization

Vendor Yunaiv
Product ruoyi-vue-pro
Weakness CWE-285
Published September 12, 2025
Last update September 12, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security vulnerability has been detected in YunaiV ruoyi-vue-pro up to 2025.09. This vulnerability affects unknown code of the file /crm/contract/transfer. The manipulation of the argument id/newOwnerUserId leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

September 12, 2025 CVE published
September 12, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-11879 GenerateBlocks <= 2.1.1 - Improper Authorization to Authenticated (Contributor+) Arbitrary Options Disclosure CVE-2026-5642 Cyber-III Student-Management-System HTTP POST Request update.php improper authorization CVE-2020-1998 PAN-OS: Improper SAML SSO authorization of shared local users CVE-2025-13806 nutzam NutzBoot Transaction API EthModule.java improper authorization CVE-2025-2850 GL.iNet GL-A1300 Slate Plus Download Interface improper authorization