{"vulnerability": "cve-2026-5363", "sightings": [{"uuid": "7c278db1-9c88-4cd6-84f1-4d455df3b2fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5363", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjlddjxhca2t", "content": "", "creation_timestamp": "2026-04-16T02:09:37.759351Z"}, {"uuid": "59f41506-fe19-4edf-9e94-afdc8a8278cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-53632", "type": "published-proof-of-concept", "source": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3", "content": "", "creation_timestamp": "2026-06-01T13:32:41.000000Z"}, {"uuid": "c9323508-77dd-4272-8928-a6889b3a6bc0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-53633", "type": "published-proof-of-concept", "source": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-g8mr-85jm-7xhm", "content": "", "creation_timestamp": "2026-06-01T13:35:28.000000Z"}, {"uuid": "13bd744d-4b9a-45c4-9052-3f139a972603", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-53634", "type": "seen", "source": "https://gist.github.com/alon710/f5073530cad3dd719e641dcee2ba88b8", "content": "# CVE-2026-53634: CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller\n\n&gt; **CVSS Score:** 4.3\n&gt; **Published:** 2026-07-08\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-53634\n\n## Summary\nCode16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.\n\n## TL;DR\nAn authenticated but unauthorized user can bypass Laravel authorization checks to retrieve configuration forms and submit records via Code16 Sharp's Quick Creation Command feature.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Network (AV:N)\n- **CVSS Base Score**: 4.3 (Medium)\n- **EPSS Score**: 0.00213\n- **Impact**: Low Integrity Impact (Privilege Escalation)\n- **Exploit Status**: Proof of Concept and patch details available, no active exploitation in the wild\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Code16 Sharp\n- **Code16 Sharp**: &gt;= 9.0.0, &lt; 9.22.3 (Fixed in: `9.22.3`)\n\n## Mitigation\n\n- Upgrade Code16 Sharp package dependencies to version 9.22.3 or higher.\n- Review permission mapping policies for all models linked with Quick Creation Command features.\n\n**Remediation Steps:**\n1. Analyze the current installed version of the package in composer.json.\n2. Run 'composer update code16/sharp' inside your production deployment pipeline.\n3. Execute automated integration tests with simulated low-privilege sessions to confirm 403 response behaviors.\n\n## References\n\n- [NVD - CVE-2026-53634 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-53634)\n- [GitHub Security Advisory - GHSA-vmwx-m75v-qvch](https://github.com/code16/sharp/security/advisories/GHSA-vmwx-m75v-qvch)\n- [GitHub Pull Request 729](https://github.com/code16/sharp/pull/729)\n- [Fix Commit aa18a85fd8fef830988a336cad2278986729d21a](https://github.com/code16/sharp/commit/aa18a85fd8fef830988a336cad2278986729d21a)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-53634) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-08T22:12:23.393039Z"}, {"uuid": "13f57400-12b6-442d-bcc0-bd75991c607f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-53633", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqplostaaq2v", "content": "CVE-2026-53633 - browser\nVitest Browser Mode projects using a CDP-capable browser are at risk of remote code execution when the browser API server is exposed to the network. This can happen when an\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#browser #vitest #npm #CVE #infosec", "creation_timestamp": "2026-07-15T20:46:07.048353Z"}]}