dromara CVE Vulnerabilities & Metrics

Focus on dromara vulnerabilities and metrics.

Last updated: 25 Nov 2025, 23:25 UTC

About dromara Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with dromara. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total dromara CVEs: 4
Earliest CVE date: 25 Oct 2023, 18:17 UTC
Latest CVE date: 30 Jun 2025, 18:15 UTC

Latest CVE reference: CVE-2025-6925

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical dromara CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.25

Max CVSS: 5.0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	1
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS dromara CVEs

These are the five CVEs with the highest CVSS scores for dromara, sorted by severity first and recency.

CVE-2025-6925 dromara Published on 30 Jun 2025, 18:15 UTC (CVSS: 5.0)
A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/controller/MailController.java of the component Mail Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the...
CVE-2023-44794 dromara Published on 25 Oct 2023, 18:17 UTC (CVSS: 0)
An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.
CVE-2023-43961 dromara Published on 25 Oct 2023, 18:17 UTC (CVSS: 0)
An issue in Dromara SaToken version 1.3.50RC and before when using Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CVE-2023-31581 dromara Published on 25 Oct 2023, 18:17 UTC (CVSS: 0)
Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.

All CVEs for dromara

CVE-2025-6925 dromara vulnerability CVSS: 5.0 30 Jun 2025, 18:15 UTC

A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/controller/MailController.java of the component Mail Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-44794 dromara vulnerability CVSS: 0 25 Oct 2023, 18:17 UTC

An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.

CVE-2023-43961 dromara vulnerability CVSS: 0 25 Oct 2023, 18:17 UTC

An issue in Dromara SaToken version 1.3.50RC and before when using Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

CVE-2023-31581 dromara vulnerability CVSS: 0 25 Oct 2023, 18:17 UTC

Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.