Dromara

By the Year

In 2026 there have been 1 vulnerability in Dromara with an average score of 6.3 out of ten. Last year, in 2025 Dromara had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Dromara in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.50.

Recent Dromara Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-2819	Feb 20, 2026	Missing Auth in Dromara RuoYi-Vue-Plus 5.5.3 Workflow Module SaServletFilter A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.	Ruoyi Vue Plus
CVE-2025-15222	Dec 30, 2025	A vulnerability has been found in Dromara Sa-Token up to 1.44.0 A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-15117	Dec 28, 2025	Dromara Sa-Token <=1.44.0: Remote Deserialization via SaJdkSerializer A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-13268	Nov 17, 2025	Dromara DataCompare <=1.0.1 JDBC URL Injection Remote A flaw has been found in Dromara dataCompare up to 1.0.1. The affected element is the function DbConfig of the file src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java of the component JDBC URL Handler. Executing manipulation can lead to injection. The attack can be launched remotely. The exploit has been published and may be used.
CVE-2023-51650	Dec 22, 2023	Hertzbeat <1.4.1 Spring Boot Unauthorized Access Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This could result in disclosure of sensitive server information. Version 1.4.1 fixes this issue.	Hertzbeat
CVE-2023-51387	Dec 22, 2023	RCE via unsanitized alert expr in Hertzbeat < v1.4.1 Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitization for alert expressions in version prior to 1.4.1, a malicious user can use a crafted alert expression to execute any command on hertzbeat server. A malicious user who has access to alert define function can execute any command in hertzbeat instance. This issue is fixed in version 1.4.1.	Hertzbeat
CVE-2022-39337	Dec 22, 2023	Permission bypass in Hertzbeat v1.20 unauthorized access Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue.	Hertzbeat
CVE-2023-31581	Oct 25, 2023	Dromara Sureness Hardcoded Key Vulnerability (before 1.0.8) Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.	Sureness
CVE-2023-43961	Oct 25, 2023	Dromara SaToken <1.3.50RC Spring Dynamic Controllers Auth Bypass An issue in Dromara SaToken version 1.3.50RC and before when using Spring dynamic controllers, a specially crafted request may cause an authentication bypass.	Sa Token
CVE-2023-44794	Oct 25, 2023	SaToken v<1.36.0 Remote PE via Crafted Payload An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.	Sa Token
CVE-2023-3276	Jun 15, 2023	XXE via XML External Entity in HuTool XML Parsing Module (<5.8.19) A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	Hutool