CWE-266
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CVE-2026-1112 (GCVE-0-2026-1112)
Vulnerability from cvelistv5 – Published: 2026-01-18 06:02 – Updated: 2026-02-23 08:36
VLAI
Title
Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization
Summary
A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.341704 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.341704 | signaturepermissions-required |
| https://vuldb.com/?submit.732771 | third-party-advisory |
| https://github.com/AnalogyC0de/public_exp/issues/4 | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1112",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-21T18:48:44.068266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T18:53:22.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AnalogyC0de/public_exp/issues/4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*"
],
"modules": [
"Trade Address Deletion Endpoint"
],
"product": "PublicCMS",
"vendor": "Sanluan",
"versions": [
{
"status": "affected",
"version": "5.202506.a"
},
{
"status": "affected",
"version": "5.202506.b"
},
{
"status": "affected",
"version": "5.202506.c"
},
{
"status": "affected",
"version": "5.202506.d"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ana10gy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T08:36:29.816Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-341704 | Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.341704"
},
{
"name": "VDB-341704 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.341704"
},
{
"name": "Submit #732771 | publiccms PublicCMS \u003c= V5.202506.d Insecure Direct Object Reference (IDOR)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.732771"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/AnalogyC0de/public_exp/issues/4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-17T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-05T20:56:26.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1112",
"datePublished": "2026-01-18T06:02:06.704Z",
"dateReserved": "2026-01-17T08:58:12.479Z",
"dateUpdated": "2026-02-23T08:36:29.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11336 (GCVE-0-2026-11336)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:00 – Updated: 2026-06-05 15:00
VLAI
Title
tittuvarghese CollegeManagementSystem Admin admin_page.php improper authorization
Summary
A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/368874 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/368874/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11336 | third-party-advisory |
| https://vuldb.com/submit/832582 | third-party-advisory |
| https://github.com/tittuvarghese/CollegeManagemen… | exploitissue-tracking |
| https://github.com/tittuvarghese/CollegeManagemen… | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tittuvarghese | CollegeManagementSystem |
Affected:
3e476335cfbfb9a049e09f474c7ec885f69a9df3
Affected: a38852979f7e27ae67b610dce5979500ef8ebe01 cpe:2.3:a:tittuvarghese:collegemanagementsystem:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tittuvarghese:collegemanagementsystem:*:*:*:*:*:*:*:*"
],
"modules": [
"Admin Interface"
],
"product": "CollegeManagementSystem",
"vendor": "tittuvarghese",
"versions": [
{
"status": "affected",
"version": "3e476335cfbfb9a049e09f474c7ec885f69a9df3"
},
{
"status": "affected",
"version": "a38852979f7e27ae67b610dce5979500ef8ebe01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wea5e1 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:00:16.287Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-368874 | tittuvarghese CollegeManagementSystem Admin admin_page.php improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/368874"
},
{
"name": "VDB-368874 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/368874/cti"
},
{
"name": "CVE-2026-11336 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11336"
},
{
"name": "Submit #832582 | tittuvarghese CollegeManagementSystem 1.0 Privilege Escalation",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/832582"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/tittuvarghese/CollegeManagementSystem/issues/5"
},
{
"tags": [
"product"
],
"url": "https://github.com/tittuvarghese/CollegeManagementSystem/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-05T10:15:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "tittuvarghese CollegeManagementSystem Admin admin_page.php improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11336",
"datePublished": "2026-06-05T15:00:16.287Z",
"dateReserved": "2026-06-05T08:10:07.777Z",
"dateUpdated": "2026-06-05T15:00:16.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1141 (GCVE-0-2026-1141)
Vulnerability from cvelistv5 – Published: 2026-01-19 06:02 – Updated: 2026-02-23 08:42 X_Freeware
VLAI
Title
PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization
Summary
A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.341733 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.341733 | signaturepermissions-required |
| https://vuldb.com/?submit.735483 | third-party-advisory |
| https://vuldb.com/?submit.736668 | third-party-advisory |
| https://github.com/Asim-QAZi/BrokenAccessControl-… | exploit |
| https://phpgurukul.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PHPGurukul | News Portal |
Affected:
1.0
cpe:2.3:a:phpgurukul:news_portal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1141",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T21:26:45.920820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T21:26:51.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:phpgurukul:news_portal:*:*:*:*:*:*:*:*"
],
"modules": [
"Add Sub-Admin Page"
],
"product": "News Portal",
"vendor": "PHPGurukul",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "moasim (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T08:42:58.178Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-341733 | PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.341733"
},
{
"name": "VDB-341733 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.341733"
},
{
"name": "Submit #735483 | PHPGurukul News Portal Project in PHP and MySql 1.0 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.735483"
},
{
"name": "Submit #736668 | PHPGurukul News Portal v1.0 Authorization Bypass (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.736668"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul"
},
{
"tags": [
"product"
],
"url": "https://phpgurukul.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-18T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-28T02:27:10.000Z",
"value": "VulDB entry last update"
}
],
"title": "PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1141",
"datePublished": "2026-01-19T06:02:07.574Z",
"dateReserved": "2026-01-18T07:36:36.414Z",
"dateUpdated": "2026-02-23T08:42:58.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11438 (GCVE-0-2026-11438)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:00 – Updated: 2026-06-06 17:00
VLAI
Title
theonedev projects improper authorization
Summary
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369018 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369018/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11438 | third-party-advisory |
| https://vuldb.com/submit/822944 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:00:14.794Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369018 | theonedev projects improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369018"
},
{
"name": "VDB-369018 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369018/cti"
},
{
"name": "CVE-2026-11438 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11438"
},
{
"name": "Submit #822944 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822944"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev projects improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11438",
"datePublished": "2026-06-06T17:00:14.794Z",
"dateReserved": "2026-06-05T22:21:00.483Z",
"dateUpdated": "2026-06-06T17:00:14.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11439 (GCVE-0-2026-11439)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:15 – Updated: 2026-06-06 17:15
VLAI
Title
theonedev Parent Project projects improper authorization
Summary
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369019 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369019/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11439 | third-party-advisory |
| https://vuldb.com/submit/822955 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"Parent Project Handler"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:15:08.905Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369019 | theonedev Parent Project projects improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369019"
},
{
"name": "VDB-369019 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369019/cti"
},
{
"name": "CVE-2026-11439 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11439"
},
{
"name": "Submit #822955 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822955"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev Parent Project projects improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11439",
"datePublished": "2026-06-06T17:15:08.905Z",
"dateReserved": "2026-06-05T22:21:02.958Z",
"dateUpdated": "2026-06-06T17:15:08.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11440 (GCVE-0-2026-11440)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:30 – Updated: 2026-06-06 17:30
VLAI
Title
theonedev REST API default-branch improper authorization
Summary
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369020 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369020/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11440 | third-party-advisory |
| https://vuldb.com/submit/822956 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"REST API"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:30:11.510Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369020 | theonedev REST API default-branch improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369020"
},
{
"name": "VDB-369020 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369020/cti"
},
{
"name": "CVE-2026-11440 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11440"
},
{
"name": "Submit #822956 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822956"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev REST API default-branch improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11440",
"datePublished": "2026-06-06T17:30:11.510Z",
"dateReserved": "2026-06-05T22:21:05.442Z",
"dateUpdated": "2026-06-06T17:30:11.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11441 (GCVE-0-2026-11441)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:45 – Updated: 2026-06-06 17:45
VLAI
Title
theonedev Pull Request issues canAccessIssue improper authorization
Summary
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369021 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369021/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11441 | third-party-advisory |
| https://vuldb.com/submit/822957 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"Pull Request Handler"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:45:10.650Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369021 | theonedev Pull Request issues canAccessIssue improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369021"
},
{
"name": "VDB-369021 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369021/cti"
},
{
"name": "CVE-2026-11441 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11441"
},
{
"name": "Submit #822957 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822957"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev Pull Request issues canAccessIssue improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11441",
"datePublished": "2026-06-06T17:45:10.650Z",
"dateReserved": "2026-06-05T22:21:08.343Z",
"dateUpdated": "2026-06-06T17:45:10.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1193 (GCVE-0-2026-1193)
Vulnerability from cvelistv5 – Published: 2026-01-19 23:02 – Updated: 2026-03-25 12:31
VLAI
Title
MineAdmin View view improper authorization
Summary
A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.341778 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.341778 | signaturepermissions-required |
| https://vuldb.com/?submit.734270 | third-party-advisory |
| https://github.com/SourByte05/MineAdmin-Vulnerabi… | broken-linkexploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1193",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-21T19:43:34.079204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T19:44:34.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mineadmin:mineadmin:*:*:*:*:*:*:*:*"
],
"modules": [
"View Interface"
],
"product": "MineAdmin",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.*"
},
{
"status": "affected",
"version": "2.*"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "sourbyte (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T12:31:53.364Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-341778 | MineAdmin View view improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.341778"
},
{
"name": "VDB-341778 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.341778"
},
{
"name": "Submit #734270 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Logical flaw and vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.734270"
},
{
"tags": [
"broken-link",
"exploit",
"issue-tracking"
],
"url": "https://github.com/SourByte05/MineAdmin-Vulnerability/issues/6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-05T21:09:48.000Z",
"value": "VulDB entry last update"
}
],
"title": "MineAdmin View view improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1193",
"datePublished": "2026-01-19T23:02:11.979Z",
"dateReserved": "2026-01-19T13:59:50.661Z",
"dateUpdated": "2026-03-25T12:31:53.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1411 (GCVE-0-2026-1411)
Vulnerability from cvelistv5 – Published: 2026-01-26 00:32 – Updated: 2026-02-23 08:54
VLAI
Title
Beetel 777VR1 UART access control
Summary
A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.342800 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.342800 | signaturepermissions-required |
| https://vuldb.com/?submit.740674 | third-party-advisory |
| https://gist.github.com/raghav20232023/ea6adcd6d1… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1411",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T17:28:56.623407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T17:29:02.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"UART Interface"
],
"product": "777VR1",
"vendor": "Beetel",
"versions": [
{
"status": "affected",
"version": "01.00.09"
},
{
"status": "affected",
"version": "01.00.09_55"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "raghav_2026 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:P/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.9,
"vectorString": "AV:L/AC:H/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T08:54:50.445Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-342800 | Beetel 777VR1 UART access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.342800"
},
{
"name": "VDB-342800 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.342800"
},
{
"name": "Submit #740674 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-284 \u2014 Improper Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.740674"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/raghav20232023/ea6adcd6d1eca35683570a1094164bd3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-25T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-27T21:58:10.000Z",
"value": "VulDB entry last update"
}
],
"title": "Beetel 777VR1 UART access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1411",
"datePublished": "2026-01-26T00:32:06.281Z",
"dateReserved": "2026-01-25T09:43:14.850Z",
"dateUpdated": "2026-02-23T08:54:50.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1550 (GCVE-0-2026-1550)
Vulnerability from cvelistv5 – Published: 2026-01-28 23:02 – Updated: 2026-02-23 09:03 X_Freeware
VLAI
Title
PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization
Summary
A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.343246 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.343246 | signaturepermissions-required |
| https://vuldb.com/?submit.739837 | third-party-advisory |
| https://github.com/rsecroot/Hospital-Management-S… | exploit |
| https://phpgurukul.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PHPGurukul | Hospital Management System |
Affected:
1.0
cpe:2.3:a:phpgurukul:hospital_management_system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1550",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T15:58:30.381996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T16:53:41.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:phpgurukul:hospital_management_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Admin Dashboard Page"
],
"product": "Hospital Management System",
"vendor": "PHPGurukul",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "hackerfactory (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:03:01.284Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-343246 | PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.343246"
},
{
"name": "VDB-343246 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.343246"
},
{
"name": "Submit #739837 | PHPGurukul Hospital Management System v1.0 Missing Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.739837"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md"
},
{
"tags": [
"product"
],
"url": "https://phpgurukul.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-09T17:03:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1550",
"datePublished": "2026-01-28T23:02:10.342Z",
"dateReserved": "2026-01-28T16:55:20.754Z",
"dateUpdated": "2026-02-23T09:03:01.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-1
Phases: Architecture and Design, Operation
Description:
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.