CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-9251 (GCVE-0-2026-9251)
Vulnerability from cvelistv5 – Published: 2026-05-22 15:29 – Updated: 2026-05-22 16:49
VLAI
Summary
Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Devolutions | Server |
Affected:
2026.1.6.0 , ≤ 2026.1.16.0
(custom)
Affected: 0 , ≤ 2025.3.20.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T16:49:25.984797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T16:49:29.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2026.1.16.0",
"status": "affected",
"version": "2026.1.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.3.20.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry\u0027s data via a crafted status change request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry\u0027s data via a crafted status change request.\n\nThis issue affects :\n\n * Devolutions Server 2026.1.6.0 through 2026.1.16.0\n * Devolutions Server 2025.3.20.0 and earlier"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:29:25.378Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2026-9251",
"datePublished": "2026-05-22T15:29:25.378Z",
"dateReserved": "2026-05-21T20:03:12.616Z",
"dateUpdated": "2026-05-22T16:49:29.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9255 (GCVE-0-2026-9255)
Vulnerability from cvelistv5 – Published: 2026-05-22 16:38 – Updated: 2026-05-23 03:55
VLAI
Title
Tool Execution Without Authorization via Piped Stdin in Kiro CLI
Summary
Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin.
We recommend you to upgrade to kiro-cli version 1.28.0 or later.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://kiro.dev/changelog/cli/1-28/ | release-notes |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:58.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kiro CLI",
"vendor": "AWS",
"versions": [
{
"lessThan": "1.28.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:aws:kiro_cli:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.28.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin.\u003c/p\u003e\u003cp\u003eWe recommend you to upgrade to kiro-cli version 1.28.0 or later.\u003c/p\u003e"
}
],
"value": "Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin.\n\n\n\nWe recommend you to upgrade to kiro-cli version 1.28.0 or later."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233: Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T16:42:59.467Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://kiro.dev/changelog/cli/1-28/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-035-aws/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Tool Execution Without Authorization via Piped Stdin in Kiro CLI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-9255",
"datePublished": "2026-05-22T16:38:10.522Z",
"dateReserved": "2026-05-21T20:55:28.520Z",
"dateUpdated": "2026-05-23T03:55:58.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9284 (GCVE-0-2026-9284)
Vulnerability from cvelistv5 – Published: 2026-05-23 04:27 – Updated: 2026-05-26 16:13
VLAI
Title
WooCommerce PayPal Payments <= 4.0.1 - Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure
Summary
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| woocommerce | WooCommerce PayPal Payments |
Affected:
0 , ≤ 4.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9284",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T16:13:31.929154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:13:40.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce PayPal Payments",
"vendor": "woocommerce",
"versions": [
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester\u0027s session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers\u0027 order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim\u0027s WC order and then retrieving the PayPal order data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T04:27:17.416Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5fa3282-b3be-4ea1-9865-011dea828a25?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/tags/3.3.2/modules/ppcp-button/src/Endpoint/CreateOrderEndpoint.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/tags/3.3.2/modules/ppcp-button/src/Endpoint/GetOrderEndpoint.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/trunk/modules/ppcp-button/src/Endpoint/CreateOrderEndpoint.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/trunk/modules/ppcp-button/src/Endpoint/GetOrderEndpoint.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3497597%40woocommerce-paypal-payments\u0026new=3497597%40woocommerce-paypal-payments\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T16:19:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-22T16:04:24.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce PayPal Payments \u003c= 4.0.1 - Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9284",
"datePublished": "2026-05-23T04:27:17.416Z",
"dateReserved": "2026-05-22T16:04:02.399Z",
"dateUpdated": "2026-05-26T16:13:40.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9303 (GCVE-0-2026-9303)
Vulnerability from cvelistv5 – Published: 2026-05-23 13:30 – Updated: 2026-05-26 18:41
VLAI
Title
calcom cal.diy cross-site request forgery
Summary
A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365250 | vdb-entry |
| https://vuldb.com/vuln/365250/cti | signaturepermissions-required |
| https://vuldb.com/submit/812173 | third-party-advisory |
| https://vuldb.com/submit/812175 | third-party-advisory |
| https://gist.github.com/YLChen-007/26663d9558e159… | related |
| https://gist.github.com/YLChen-007/dafada36e356bc… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9303",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T18:41:36.930930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T18:41:50.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:calcom:cal.diy:*:*:*:*:*:*:*:*"
],
"product": "cal.diy",
"vendor": "calcom",
"versions": [
{
"status": "affected",
"version": "4.9.0"
},
{
"status": "affected",
"version": "4.9.1"
},
{
"status": "affected",
"version": "4.9.2"
},
{
"status": "affected",
"version": "4.9.3"
},
{
"status": "affected",
"version": "4.9.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-z (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T13:30:10.147Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365250 | calcom cal.diy cross-site request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/365250"
},
{
"name": "VDB-365250 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365250/cti"
},
{
"name": "Submit #812173 | cal.com \u003c= v4.9.4 Cross-Site Request Forgery (CWE-352)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/812173"
},
{
"name": "Submit #812175 | cal.com \u003c= v4.9.4 Cross-Site Request Forgery (CWE-352) (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/812175"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/dafada36e356bc895b09829d8ec57e49"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-22T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-22T19:59:44.000Z",
"value": "VulDB entry last update"
}
],
"title": "calcom cal.diy cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9303",
"datePublished": "2026-05-23T13:30:10.147Z",
"dateReserved": "2026-05-22T17:54:39.276Z",
"dateUpdated": "2026-05-26T18:41:50.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9350 (GCVE-0-2026-9350)
Vulnerability from cvelistv5 – Published: 2026-05-24 02:45 – Updated: 2026-05-26 17:48
VLAI
Title
NousResearch hermes-agent Batch Runner approval.py check_all_command_guards authorization
Summary
A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365313 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/365313/cti | signaturepermissions-required |
| https://vuldb.com/submit/812213 | third-party-advisory |
| https://gist.github.com/YLChen-007/22cada4c9060f5… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NousResearch | hermes-agent |
Affected:
2026.4.0
Affected: 2026.4.1 Affected: 2026.4.2 Affected: 2026.4.3 Affected: 2026.4.4 Affected: 2026.4.5 Affected: 2026.4.6 Affected: 2026.4.7 Affected: 2026.4.8 Affected: 2026.4.9 Affected: 2026.4.10 Affected: 2026.4.11 Affected: 2026.4.12 Affected: 2026.4.13 Affected: 2026.4.14 Affected: 2026.4.15 Affected: 2026.4.16 cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T17:47:52.773882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:48:19.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:nousresearch:hermes-agent:*:*:*:*:*:*:*:*"
],
"modules": [
"Batch Runner"
],
"product": "hermes-agent",
"vendor": "NousResearch",
"versions": [
{
"status": "affected",
"version": "2026.4.0"
},
{
"status": "affected",
"version": "2026.4.1"
},
{
"status": "affected",
"version": "2026.4.2"
},
{
"status": "affected",
"version": "2026.4.3"
},
{
"status": "affected",
"version": "2026.4.4"
},
{
"status": "affected",
"version": "2026.4.5"
},
{
"status": "affected",
"version": "2026.4.6"
},
{
"status": "affected",
"version": "2026.4.7"
},
{
"status": "affected",
"version": "2026.4.8"
},
{
"status": "affected",
"version": "2026.4.9"
},
{
"status": "affected",
"version": "2026.4.10"
},
{
"status": "affected",
"version": "2026.4.11"
},
{
"status": "affected",
"version": "2026.4.12"
},
{
"status": "affected",
"version": "2026.4.13"
},
{
"status": "affected",
"version": "2026.4.14"
},
{
"status": "affected",
"version": "2026.4.15"
},
{
"status": "affected",
"version": "2026.4.16"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-h (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-24T02:45:10.330Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365313 | NousResearch hermes-agent Batch Runner approval.py check_all_command_guards authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/365313"
},
{
"name": "VDB-365313 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365313/cti"
},
{
"name": "Submit #812213 | NousResearch hermes-agent 2026.4.16 Missing Authorization (CWE-862)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/812213"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/22cada4c9060f5123dde6185135ae3ab"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-23T11:24:46.000Z",
"value": "VulDB entry last update"
}
],
"title": "NousResearch hermes-agent Batch Runner approval.py check_all_command_guards authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9350",
"datePublished": "2026-05-24T02:45:10.330Z",
"dateReserved": "2026-05-23T09:19:30.069Z",
"dateUpdated": "2026-05-26T17:48:19.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9486 (GCVE-0-2026-9486)
Vulnerability from cvelistv5 – Published: 2026-05-25 19:30 – Updated: 2026-05-26 12:50 X_Freeware
VLAI
Title
SourceCodester Student Grades Management System cross-site request forgery
Summary
A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365467 | vdb-entry |
| https://vuldb.com/vuln/365467/cti | signaturepermissions-required |
| https://vuldb.com/submit/814044 | third-party-advisory |
| https://github.com/Jack-MRJ/Student-Grades-Manage… | exploit |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Student Grades Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:student_grades_management_system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9486",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:50:26.887561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:50:35.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:student_grades_management_system:*:*:*:*:*:*:*:*"
],
"product": "Student Grades Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "GeekerA (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T19:30:09.710Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365467 | SourceCodester Student Grades Management System cross-site request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/365467"
},
{
"name": "VDB-365467 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365467/cti"
},
{
"name": "Submit #814044 | SourceCodester Student Grades Management System 1.0 Cross-Site Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/814044"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Jack-MRJ/Student-Grades-Management-System-Vulnerability-Report"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-24T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-24T11:32:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Student Grades Management System cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9486",
"datePublished": "2026-05-25T19:30:09.710Z",
"dateReserved": "2026-05-24T09:26:32.498Z",
"dateUpdated": "2026-05-26T12:50:35.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9582 (GCVE-0-2026-9582)
Vulnerability from cvelistv5 – Published: 2026-05-26 20:45 – Updated: 2026-05-27 17:58 X_Freeware
VLAI
Title
SourceCodester CET Automated Grading System with AI Predictive Analytics cross-site request forgery
Summary
A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365638 | vdb-entry |
| https://vuldb.com/vuln/365638/cti | signaturepermissions-required |
| https://vuldb.com/submit/817930 | third-party-advisory |
| https://github.com/NARKHEDE-VAIBHAV/poc/blob/main… | exploit |
| https://github.com/NARKHEDE-VAIBHAV/poc/blob/main… | exploit |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | CET Automated Grading System with AI Predictive Analytics |
Affected:
1.0
cpe:2.3:a:sourcecodester:cet_automated_grading_system_with_ai_predictive_analytics:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9582",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T17:58:15.496135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T17:58:26.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:cet_automated_grading_system_with_ai_predictive_analytics:*:*:*:*:*:*:*:*"
],
"product": "CET Automated Grading System with AI Predictive Analytics",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "vaibhavnarkhede (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "vaibhavnarkhede (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:45:11.049Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365638 | SourceCodester CET Automated Grading System with AI Predictive Analytics cross-site request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/365638"
},
{
"name": "VDB-365638 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365638/cti"
},
{
"name": "Submit #817930 | SourceCodester CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Cross Site Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/817930"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9582-Cross-Site-Request-Forgery/Advisory.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9582-Cross-Site-Request-Forgery/poc.html"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-26T19:23:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester CET Automated Grading System with AI Predictive Analytics cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9582",
"datePublished": "2026-05-26T20:45:11.049Z",
"dateReserved": "2026-05-26T12:53:01.526Z",
"dateUpdated": "2026-05-27T17:58:26.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9603 (GCVE-0-2026-9603)
Vulnerability from cvelistv5 – Published: 2026-05-26 22:00 – Updated: 2026-05-27 12:55 X_Freeware
VLAI
Title
SourceCodester eDoc Doctor Appointment System delete-session.php authorization
Summary
A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365676 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/365676/cti | signaturepermissions-required |
| https://vuldb.com/submit/817935 | third-party-advisory |
| https://github.com/NARKHEDE-VAIBHAV/poc/blob/main… | exploit |
| https://github.com/NARKHEDE-VAIBHAV/poc/blob/main… | exploit |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | eDoc Doctor Appointment System |
Affected:
1.0
cpe:2.3:a:sourcecodester:edoc_doctor_appointment_system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T12:54:43.298048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:55:07.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:edoc_doctor_appointment_system:*:*:*:*:*:*:*:*"
],
"product": "eDoc Doctor Appointment System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "vaibhavnarkhede (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "vaibhavnarkhede (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.4,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T22:00:14.230Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365676 | SourceCodester eDoc Doctor Appointment System delete-session.php authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/365676"
},
{
"name": "VDB-365676 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365676/cti"
},
{
"name": "Submit #817935 | SourceCodester eDoc Doctor Appointment System 1.0 Missing Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/817935"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9603-Missing-Authorization/Advisory.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9603-Missing-Authorization/poc.sh"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-26T19:23:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester eDoc Doctor Appointment System delete-session.php authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9603",
"datePublished": "2026-05-26T22:00:14.230Z",
"dateReserved": "2026-05-26T16:02:52.829Z",
"dateUpdated": "2026-05-27T12:55:07.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.