CVE-2026-2819

MEDIUM 6.3

Dromara RuoYi-Vue-Plus Workflow deleteByInstanceIds SaServletFilter authorization

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-862 CWE-863
Vendor	dromara
Product	ruoyi-vue-plus
Published	Feb 20, 2026
Last Updated	Feb 23, 2026

Stay Ahead of the Next One

Get instant alerts for dromara ruoyi-vue-plus

Be the first to know when new medium vulnerabilities affecting dromara ruoyi-vue-plus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Dromara / RuoYi-Vue-Plus

5.5.0 5.5.1 5.5.2 5.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.346944 vuldb.com: https://vuldb.com/?ctiid.346944 vuldb.com: https://vuldb.com/?submit.753321

Credits

🔍 feng123123 (VulDB User)