GHSA-pv3j-frmx-3v9qHighCVSS 6.5

ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization...

Published
June 29, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.

🔗 References (5)