CVE-2025-9410 MEDIUM

CVE-2025-9410: lostvip-com ruoyi-go GenTableDao.go SelectListByPage sql injection

Vendor Lostvip-Com
Product ruoyi-go
Weakness CWE-89 · SQLi
Published August 25, 2025
Last update August 25, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A weakness has been identified in lostvip-com ruoyi-go up to 2.1. The affected element is the function SelectListByPage of the file modules/system/dao/GenTableDao.go. Executing manipulation of the argument isAsc/orderByColumn can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

August 25, 2025 CVE published
August 25, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-7022 Tongda OA 2017 delete_all.php sql injection CVE-2025-62728 Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs CVE-2026-3710 code-projects Simple Flight Ticket Booking System Adminadd.php sql injection CVE-2024-8436 WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Authenticated (Subscriber+) SQL Injection CVE-2025-13396 code-projects Courier Management System add-office.php sql injection