Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

dromara — Vulnerabilities & Security Advisories 26

Browse all 26 CVE security advisories affecting dromara. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Dromara is an open-source ecosystem primarily focused on providing rapid development frameworks and enterprise-level solutions for Java-based applications. Its core offerings include modular platforms designed to streamline backend development, often serving as the foundation for various commercial and internal enterprise systems. Security audits have identified twenty-six Common Vulnerabilities and Exposures (CVEs) associated with components within this ecosystem. Historically, these vulnerabilities predominantly manifest as Remote Code Execution (RCE) flaws, often stemming from insecure deserialization or improper input validation in underlying libraries. Additionally, instances of Cross-Site Scripting (XSS) and privilege escalation vulnerabilities have been documented, typically arising from misconfigured access controls or outdated dependencies. While no single catastrophic incident has defined the project’s public history, the accumulation of CVEs highlights the necessity for rigorous dependency management and regular patching. Developers utilizing Dromara-based architectures must prioritize updating framework versions to mitigate these known risks and ensure system integrity.

Top products by dromara: hertzbeat UJCMS HuTool J2eeFAST RuoYi-Vue-Plus MaxKey Sa-Token open-capacity-platform Northstar dataCompare lamp-cloud warm-flow
CVE IDTitleCVSSSeverityPublished
CVE-2026-7699 Dromara MaxKey StrUtils.java StrUtils.checkSqlInjection sql injection — MaxKeyCWE-89 6.3 Medium2026-05-03
CVE-2026-6125 Dromara warm-flow Workflow Definition save-json SpelHelper.parseExpression code injection — warm-flowCWE-94 6.3 Medium2026-04-12
CVE-2026-5529 Dromara lamp-cloud DefUserController pageUser improper authorization — lamp-cloudCWE-285 4.3 Medium2026-04-05
CVE-2026-2954 Dromara UJCMS ImportDataController import-channel importChanel injection — UJCMSCWE-74 6.3 Medium2026-02-22
CVE-2026-2953 Dromara UJCMS Template WebFileTemplateController.delete deleteDirectory path traversal — UJCMSCWE-22 5.4 Medium2026-02-22
CVE-2026-2819 Dromara RuoYi-Vue-Plus Workflow deleteByInstanceIds SaServletFilter authorization — RuoYi-Vue-PlusCWE-862 6.3 Medium2026-02-20
CVE-2025-15222 Dromara Sa-Token SaSerializerTemplateForJdkUseBase64.java ObjectInputStream.readObject deserialization — Sa-TokenCWE-502 5.0 Medium2025-12-30
CVE-2025-15117 Dromara Sa-Token SaJdkSerializer.java ObjectInputStream.readObject deserialization — Sa-TokenCWE-502 3.1 Low2025-12-28
CVE-2025-13268 Dromara dataCompare JDBC URL DbconfigServiceImpl.java DbConfig injection — dataCompareCWE-74 6.3 Medium2025-11-17
CVE-2025-7552 Dromara Northstar Path AuthorizationInterceptor.java preHandle access control — NorthstarCWE-284 6.3 Medium2025-07-13
CVE-2025-6925 Dromara RuoYi-Vue-Plus Mail MailController.java path traversal — RuoYi-Vue-PlusCWE-22 5.3 Medium2025-06-30
CVE-2025-6517 Dromara MaxKey Meta URL SAML20DetailsController.java add server-side request forgery — MaxKeyCWE-918 6.3 Medium2025-06-23
CVE-2025-2491 Dromara ujcms Edit Template File Page WebFileTemplateController.java update cross site scripting — ujcmsCWE-79 2.4 Low2025-03-18
CVE-2025-2490 Dromara ujcms File Upload WebFileUploadController.java upload cross site scripting — ujcmsCWE-79 2.4 Low2025-03-18
CVE-2024-12483 Dromara UJCMS User ID id authorization — UJCMSCWE-639 3.7 Low2024-12-11
CVE-2024-3928 Dromara open-capacity-platform auth-server heapdump information disclosure — open-capacity-platformCWE-200 4.3 Medium2024-04-17
CVE-2023-51389 HertzBeat SnakeYAML Deser RCE — hertzbeatCWE-502 9.8 Critical2024-02-22
CVE-2023-51388 HertzBeat AviatorScript Inject RCE — hertzbeatCWE-74 9.8 Critical2024-02-22
CVE-2023-51653 Hertzbeat JMX JNDI RCE — hertzbeatCWE-74 9.8 Critical2024-02-22
CVE-2023-51650 Unauthorized access vulnerability on three interfaces — hertzbeatCWE-862 7.5 High2023-12-22
CVE-2023-51387 Expression Injection Vulnerability in Hertzbeat — hertzbeatCWE-94 7.2 High2023-12-22
CVE-2022-39337 Permission bypass due to incorrect configuration in github.com/dromara/hertzbeat — hertzbeatCWE-284 7.5 High2023-12-22
CVE-2023-3276 Dromara HuTool XML Parsing Module XmlUtil.java readBySax xml external entity reference — HuToolCWE-611 5.5 Medium2023-06-15
CVE-2023-2476 Dromara J2eeFAST Announcement cross site scripting — J2eeFASTCWE-79 3.5 Low2023-05-02
CVE-2023-2475 Dromara J2eeFAST System Message cross site scripting — J2eeFASTCWE-79 3.5 Low2023-05-02
CVE-2022-4565 Dromara HuTool cn.hutool.core.util.ZipUtil.java resource consumption — HuToolCWE-404 4.3 Medium2022-12-16

This page lists every published CVE security advisory associated with dromara. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.