CWE-266
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CVE-2026-10269 (GCVE-0-2026-10269)
Vulnerability from cvelistv5 – Published: 2026-06-01 15:15 – Updated: 2026-06-01 19:26 X_Open Source
VLAI
Title
decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization
Summary
A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367548 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367548/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10269 | third-party-advisory |
| https://vuldb.com/submit/825188 | third-party-advisory |
| https://github.com/decolua/9router/issues/742 | issue-tracking |
| https://github.com/decolua/9router/commit/428e2c0… | patch |
| https://github.com/decolua/9router/releases/tag/v0.4.1 | patch |
| https://github.com/decolua/9router/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:26:23.888695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:26:34.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:h:decolua:9router:*:*:*:*:*:*:*:*"
],
"modules": [
"HTTP Header Handler"
],
"product": "9router",
"vendor": "decolua",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2"
},
{
"status": "affected",
"version": "0.3"
},
{
"status": "affected",
"version": "0.4.0"
},
{
"status": "unaffected",
"version": "0.4.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "brad (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T15:15:09.660Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367548 | decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367548"
},
{
"name": "VDB-367548 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367548/cti"
},
{
"name": "CVE-2026-10269 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10269"
},
{
"name": "Submit #825188 | decolua 9router \u003e= 0.2.72, \u003c 0.4.1 Origin Validation Error",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825188"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/decolua/9router/issues/742"
},
{
"tags": [
"patch"
],
"url": "https://github.com/decolua/9router/commit/428e2c045cb9c0eb8080e8b580471a9c2eaa95ca"
},
{
"tags": [
"patch"
],
"url": "https://github.com/decolua/9router/releases/tag/v0.4.1"
},
{
"tags": [
"product"
],
"url": "https://github.com/decolua/9router/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T16:16:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10269",
"datePublished": "2026-06-01T15:15:09.660Z",
"dateReserved": "2026-05-31T14:09:33.434Z",
"dateUpdated": "2026-06-01T19:26:34.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10272 (GCVE-0-2026-10272)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:00 – Updated: 2026-06-01 17:47
VLAI
Title
a4m4 Student-Management-System deleteform.php improper authorization
Summary
A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367551 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367551/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10272 | third-party-advisory |
| https://vuldb.com/submit/825241 | third-party-advisory |
| https://github.com/a4m4/Student-Management-System… | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| a4m4 | Student-Management-System |
Affected:
f0c5f6842c5e8c431ff02b5260a565ca844df3a0
cpe:2.3:a:a4m4:student-management-system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10272",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T17:46:52.999822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:47:00.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:a4m4:student-management-system:*:*:*:*:*:*:*:*"
],
"product": "Student-Management-System",
"vendor": "a4m4",
"versions": [
{
"status": "affected",
"version": "f0c5f6842c5e8c431ff02b5260a565ca844df3a0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "oxygen (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.4,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:00:09.387Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367551 | a4m4 Student-Management-System deleteform.php improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367551"
},
{
"name": "VDB-367551 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367551/cti"
},
{
"name": "CVE-2026-10272 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10272"
},
{
"name": "Submit #825241 | a4m4 Student-Management-System--PHP- 1.0 Unauthenticated Access",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825241"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/a4m4/Student-Management-System--PHP-/issues/3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T16:21:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "a4m4 Student-Management-System deleteform.php improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10272",
"datePublished": "2026-06-01T16:00:09.387Z",
"dateReserved": "2026-05-31T14:16:11.213Z",
"dateUpdated": "2026-06-01T17:47:00.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10277 (GCVE-0-2026-10277)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:15 – Updated: 2026-06-01 19:34 X_Open Source
VLAI
Title
j3k0 mcp-google-workspace MCP Gmail Tool gmail.ts saveToDisk access control
Summary
A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 89c091ecf8b9f9c7291d1af0b1966e271f86551c. It is suggested to install a patch to address this issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367570 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367570/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10277 | third-party-advisory |
| https://vuldb.com/submit/825416 | third-party-advisory |
| https://github.com/j3k0/mcp-google-workspace/issues/19 | exploitissue-tracking |
| https://github.com/j3k0/mcp-google-workspace/pull/22 | issue-trackingpatch |
| https://github.com/j3k0/mcp-google-workspace/comm… | patch |
| https://github.com/j3k0/mcp-google-workspace/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| j3k0 | mcp-google-workspace |
Affected:
831790e7d5c2663325733d9f5579cc339a267c4c
cpe:2.3:a:j3k0:mcp-google-workspace:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10277",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:34:18.811378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:34:35.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:j3k0:mcp-google-workspace:*:*:*:*:*:*:*:*"
],
"modules": [
"MCP Gmail Tool"
],
"product": "mcp-google-workspace",
"vendor": "j3k0",
"versions": [
{
"status": "affected",
"version": "831790e7d5c2663325733d9f5579cc339a267c4c"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ccccccctfi (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 89c091ecf8b9f9c7291d1af0b1966e271f86551c. It is suggested to install a patch to address this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:15:10.146Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367570 | j3k0 mcp-google-workspace MCP Gmail Tool gmail.ts saveToDisk access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367570"
},
{
"name": "VDB-367570 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367570/cti"
},
{
"name": "CVE-2026-10277 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10277"
},
{
"name": "Submit #825416 | j3k0 mcp-google-workspace 1.0.0 Arbitrary File Write",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825416"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/j3k0/mcp-google-workspace/issues/19"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/j3k0/mcp-google-workspace/pull/22"
},
{
"tags": [
"patch"
],
"url": "https://github.com/j3k0/mcp-google-workspace/commit/89c091ecf8b9f9c7291d1af0b1966e271f86551c"
},
{
"tags": [
"product"
],
"url": "https://github.com/j3k0/mcp-google-workspace/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:11:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "j3k0 mcp-google-workspace MCP Gmail Tool gmail.ts saveToDisk access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10277",
"datePublished": "2026-06-01T17:15:10.146Z",
"dateReserved": "2026-05-31T16:06:06.795Z",
"dateUpdated": "2026-06-01T19:34:35.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10282 (GCVE-0-2026-10282)
Vulnerability from cvelistv5 – Published: 2026-06-01 18:30 – Updated: 2026-06-01 19:36
VLAI
Title
Bottelet DaybydayCRM DocumentsController.php view improper authorization
Summary
A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367575 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367575/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10282 | third-party-advisory |
| https://vuldb.com/submit/825439 | third-party-advisory |
| https://vuldb.com/submit/825440 | third-party-advisory |
| https://github.com/Bottelet/DaybydayCRM/issues/347 | issue-tracking |
| https://github.com/Bottelet/DaybydayCRM/pull/362 | issue-trackingpatch |
| https://github.com/Bottelet/DaybydayCRM/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.2.0
Affected: 2.2.1 cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10282",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:35:56.101906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:36:10.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:*"
],
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"status": "affected",
"version": "2.2.0"
},
{
"status": "affected",
"version": "2.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mitchell45 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:30:13.342Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367575 | Bottelet DaybydayCRM DocumentsController.php view improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367575"
},
{
"name": "VDB-367575 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367575/cti"
},
{
"name": "CVE-2026-10282 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10282"
},
{
"name": "Submit #825439 | Bottelet DaybydayCRM \u003c= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825439"
},
{
"name": "Submit #825440 | Bottelet DaybydayCRM \u003c= 2.2.1 Improper Authorization (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825440"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Bottelet/DaybydayCRM/issues/347"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/Bottelet/DaybydayCRM/pull/362"
},
{
"tags": [
"product"
],
"url": "https://github.com/Bottelet/DaybydayCRM/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:31:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "Bottelet DaybydayCRM DocumentsController.php view improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10282",
"datePublished": "2026-06-01T18:30:13.342Z",
"dateReserved": "2026-05-31T16:25:56.939Z",
"dateUpdated": "2026-06-01T19:36:10.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10284 (GCVE-0-2026-10284)
Vulnerability from cvelistv5 – Published: 2026-06-01 19:00 – Updated: 2026-06-03 16:04
VLAI
Title
DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization
Summary
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367577 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367577/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10284 | third-party-advisory |
| https://vuldb.com/submit/825473 | third-party-advisory |
| https://github.com/devaslanphp/project-management… | issue-tracking |
| https://github.com/devaslanphp/project-management/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DevaslanPHP | project-management |
Affected:
2.0.0-beta1
cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10284",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T16:04:38.299070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T16:04:54.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:*"
],
"modules": [
"Livewire Handler"
],
"product": "project-management",
"vendor": "DevaslanPHP",
"versions": [
{
"status": "affected",
"version": "2.0.0-beta1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mitchell45 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:00:09.664Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367577 | DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367577"
},
{
"name": "VDB-367577 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367577/cti"
},
{
"name": "CVE-2026-10284 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10284"
},
{
"name": "Submit #825473 | devaslanphp project-management \u003c 2.0.0-beta1 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825473"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/devaslanphp/project-management/issues/140"
},
{
"tags": [
"product"
],
"url": "https://github.com/devaslanphp/project-management/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:35:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10284",
"datePublished": "2026-06-01T19:00:09.664Z",
"dateReserved": "2026-05-31T16:30:10.696Z",
"dateUpdated": "2026-06-03T16:04:54.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10285 (GCVE-0-2026-10285)
Vulnerability from cvelistv5 – Published: 2026-06-01 19:15 – Updated: 2026-06-02 12:22
VLAI
Title
DevaslanPHP project-management Ticket KanbanScrumHelper.php recordUpdated improper authorization
Summary
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367578 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367578/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10285 | third-party-advisory |
| https://vuldb.com/submit/825475 | third-party-advisory |
| https://github.com/devaslanphp/project-management… | broken-linkissue-tracking |
| https://github.com/devaslanphp/project-management/ | broken-linkproduct |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DevaslanPHP | project-management |
Affected:
2.0.0-beta1
cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10285",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T12:21:46.930341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:22:08.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:*"
],
"modules": [
"Ticket Handler"
],
"product": "project-management",
"vendor": "DevaslanPHP",
"versions": [
{
"status": "affected",
"version": "2.0.0-beta1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mitchell_45 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:15:26.718Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367578 | DevaslanPHP project-management Ticket KanbanScrumHelper.php recordUpdated improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367578"
},
{
"name": "VDB-367578 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367578/cti"
},
{
"name": "CVE-2026-10285 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10285"
},
{
"name": "Submit #825475 | devaslanphp project-management \u003c 2.0.0-beta1 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825475"
},
{
"tags": [
"broken-link",
"issue-tracking"
],
"url": "https://github.com/devaslanphp/project-management/issues/141"
},
{
"tags": [
"broken-link",
"product"
],
"url": "https://github.com/devaslanphp/project-management/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:35:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "DevaslanPHP project-management Ticket KanbanScrumHelper.php recordUpdated improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10285",
"datePublished": "2026-06-01T19:15:26.718Z",
"dateReserved": "2026-05-31T16:30:13.123Z",
"dateUpdated": "2026-06-02T12:22:08.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10294 (GCVE-0-2026-10294)
Vulnerability from cvelistv5 – Published: 2026-06-01 21:30 – Updated: 2026-06-02 12:31
VLAI
Title
PackageKit API pk-transaction.c g_file_test improper authorization
Summary
A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function g_file_test of the file src/pk-transaction.c of the component API. Such manipulation of the argument frontend-socket leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367587 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367587/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10294 | third-party-advisory |
| https://vuldb.com/submit/826470 | third-party-advisory |
| https://github.com/PackageKit/PackageKit/issues/969 | exploitissue-tracking |
| https://github.com/PackageKit/PackageKit/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PackageKit |
Affected:
1.3.0
Affected: 1.3.1 Affected: 1.3.2 Affected: 1.3.3 Affected: 1.3.4 Affected: 1.3.5 cpe:2.3:a:packagekit:packagekit:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10294",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T12:30:53.226732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:31:04.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:packagekit:packagekit:*:*:*:*:*:*:*:*"
],
"modules": [
"API"
],
"product": "PackageKit",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.3.0"
},
{
"status": "affected",
"version": "1.3.1"
},
{
"status": "affected",
"version": "1.3.2"
},
{
"status": "affected",
"version": "1.3.3"
},
{
"status": "affected",
"version": "1.3.4"
},
{
"status": "affected",
"version": "1.3.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rosa Yu (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function g_file_test of the file src/pk-transaction.c of the component API. Such manipulation of the argument frontend-socket leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T21:30:08.461Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367587 | PackageKit API pk-transaction.c g_file_test improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367587"
},
{
"name": "VDB-367587 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367587/cti"
},
{
"name": "CVE-2026-10294 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10294"
},
{
"name": "Submit #826470 | PackageKit v1.3.5 Incorrect Use of Privileged APIs",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/826470"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/PackageKit/PackageKit/issues/969"
},
{
"tags": [
"product"
],
"url": "https://github.com/PackageKit/PackageKit/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T19:58:28.000Z",
"value": "VulDB entry last update"
}
],
"title": "PackageKit API pk-transaction.c g_file_test improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10294",
"datePublished": "2026-06-01T21:30:08.461Z",
"dateReserved": "2026-05-31T17:52:58.886Z",
"dateUpdated": "2026-06-02T12:31:04.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10693 (GCVE-0-2026-10693)
Vulnerability from cvelistv5 – Published: 2026-06-03 00:00 – Updated: 2026-06-03 14:07 X_Freeware
VLAI
Title
SourceCodester Online Boat Reservation System Administrative Endpoint improper authorization
Summary
A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367962 | vdb-entry |
| https://vuldb.com/vuln/367962/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10693 | third-party-advisory |
| https://vuldb.com/submit/830894 | third-party-advisory |
| https://medium.com/@hemantrajbhati5555/broken-acc… | broken-linkexploit |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Online Boat Reservation System |
Affected:
1.0
cpe:2.3:a:sourcecodester:online_boat_reservation_system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10693",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:17:37.731971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:07:35.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:online_boat_reservation_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Administrative Endpoint"
],
"product": "Online Boat Reservation System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hemant Raj Bhati (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T00:00:12.858Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367962 | SourceCodester Online Boat Reservation System Administrative Endpoint improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/367962"
},
{
"name": "VDB-367962 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367962/cti"
},
{
"name": "CVE-2026-10693 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10693"
},
{
"name": "Submit #830894 | SourceCodester Online Boat Reservation System 1.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/830894"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://medium.com/@hemantrajbhati5555/broken-access-control-in-sourcecodester-online-boat-reservation-system-1-0-4ed0380d2222"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-02T17:49:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Online Boat Reservation System Administrative Endpoint improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10693",
"datePublished": "2026-06-03T00:00:12.858Z",
"dateReserved": "2026-06-02T15:44:47.102Z",
"dateUpdated": "2026-06-03T14:07:35.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10876 (GCVE-0-2026-10876)
Vulnerability from cvelistv5 – Published: 2026-06-04 23:30 – Updated: 2026-06-04 23:30 X_Freeware
VLAI
Title
SourceCodester Ship Ferry Ticket Reservation System admin improper authorization
Summary
A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/368366 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/368366/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10876 | third-party-advisory |
| https://vuldb.com/submit/831870 | third-party-advisory |
| https://medium.com/@hemantrajbhati5555/missing-au… | broken-linkexploit |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Ship Ferry Ticket Reservation System |
Affected:
1.0
cpe:2.3:a:sourcecodester:ship_ferry_ticket_reservation_system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:ship_ferry_ticket_reservation_system:*:*:*:*:*:*:*:*"
],
"product": "Ship Ferry Ticket Reservation System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hemant Raj Bhati (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:30:10.693Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-368366 | SourceCodester Ship Ferry Ticket Reservation System admin improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/368366"
},
{
"name": "VDB-368366 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/368366/cti"
},
{
"name": "CVE-2026-10876 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10876"
},
{
"name": "Submit #831870 | SourceCodester Ship/Ferry Ticket Reservation System 1.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/831870"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://medium.com/@hemantrajbhati5555/missing-authorization-in-sourcecodester-ship-ferry-ticket-reservation-system-leads-to-unauthorized-7783134d6596"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-04T17:42:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Ship Ferry Ticket Reservation System admin improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10876",
"datePublished": "2026-06-04T23:30:10.693Z",
"dateReserved": "2026-06-04T15:37:09.025Z",
"dateUpdated": "2026-06-04T23:30:10.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1106 (GCVE-0-2026-1106)
Vulnerability from cvelistv5 – Published: 2026-01-18 00:02 – Updated: 2026-02-23 08:35 X_Open Source
VLAI
Title
Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization
Summary
A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.341698 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.341698 | signaturepermissions-required |
| https://vuldb.com/?submit.731510 | third-party-advisory |
| https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1106",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T17:21:15.405596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T17:21:22.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Legal Consent Handler"
],
"product": "LMS",
"vendor": "Chamilo",
"versions": [
{
"status": "affected",
"version": "2.0.0 Beta 1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "angelkate (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T08:35:10.532Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-341698 | Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.341698"
},
{
"name": "VDB-341698 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.341698"
},
{
"name": "Submit #731510 | Chamilo LMS \u003c= v2.0.0 Beta 1 SocialController IDOR - Legal Consent Data Manipulat",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.731510"
},
{
"tags": [
"exploit"
],
"url": "https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-17T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-19T17:48:54.000Z",
"value": "VulDB entry last update"
}
],
"title": "Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1106",
"datePublished": "2026-01-18T00:02:09.172Z",
"dateReserved": "2026-01-17T08:37:17.795Z",
"dateUpdated": "2026-02-23T08:35:10.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-1
Phases: Architecture and Design, Operation
Description:
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.