Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1913 vulnerabilities reference this CWE, most recent first.

CVE-2026-15594 (GCVE-0-2026-15594)

Vulnerability from cvelistv5 – Published: 2026-07-13 20:15 – Updated: 2026-07-15 15:45
VLAI
Title
waooAI waoowaoo Media hash.ts stablePublicIdFromStorageKey improper authorization
Summary
A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/vuln/378109 vdb-entrytechnical-description
https://vuldb.com/vuln/378109/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15594 third-party-advisory
https://vuldb.com/submit/855264 third-party-advisory
https://github.com/waooAI/waoowaoo/issues/201 exploitissue-tracking
https://github.com/waooAI/waoowaoo/ product
Impacted products
Vendor Product Version
waooAI waoowaoo Affected: 0.4.0
Affected: 0.4.1
    cpe:2.3:a:waooai:waoowaoo:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Dem0000000 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15594",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T15:44:58.458002Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T15:45:06.732Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://vuldb.com/submit/855264"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:waooai:waoowaoo:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Media Handler"
          ],
          "product": "waoowaoo",
          "vendor": "waooAI",
          "versions": [
            {
              "status": "affected",
              "version": "0.4.0"
            },
            {
              "status": "affected",
              "version": "0.4.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Dem0000000 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.6,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T20:15:10.868Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-378109 | waooAI waoowaoo Media hash.ts stablePublicIdFromStorageKey improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/378109"
        },
        {
          "name": "VDB-378109 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/378109/cti"
        },
        {
          "name": "CVE-2026-15594 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15594"
        },
        {
          "name": "Submit #855264 | waooAI waoowaoo 0.4.1 Improper Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/855264"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/waooAI/waoowaoo/issues/201"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/waooAI/waoowaoo/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-13T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-13T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-13T16:06:17.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "waooAI waoowaoo Media hash.ts stablePublicIdFromStorageKey improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15594",
    "datePublished": "2026-07-13T20:15:10.868Z",
    "dateReserved": "2026-07-13T14:01:13.127Z",
    "dateUpdated": "2026-07-15T15:45:06.732Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15510 (GCVE-0-2026-15510)

Vulnerability from cvelistv5 – Published: 2026-07-12 22:45 – Updated: 2026-07-13 15:56
VLAI
Title
Leantime API saveSetting improper authorization
Summary
A vulnerability was found in Leantime up to 3.8.0. Affected is the function Setting::saveSetting of the component API. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/vuln/377839 vdb-entrytechnical-description
https://vuldb.com/vuln/377839/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15510 third-party-advisory
https://vuldb.com/submit/846171 third-party-advisory
https://bytium.com/insights/leantime-3-8-0-broken… exploit
Impacted products
Vendor Product Version
n/a Leantime Affected: 3.0
Affected: 3.1
Affected: 3.2
Affected: 3.3
Affected: 3.4
Affected: 3.5
Affected: 3.6
Affected: 3.7
Affected: 3.8.0
    cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*
Credits
Jobyer Ahmed (Bytium) suffer (VulDB User) suffer (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15510",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T15:47:21.833466Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T15:56:43.276Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "API"
          ],
          "product": "Leantime",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "status": "affected",
              "version": "3.8.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jobyer Ahmed (Bytium)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "suffer (VulDB User)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "suffer (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Leantime up to 3.8.0. Affected is the function Setting::saveSetting of the component API. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-12T22:45:10.120Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377839 | Leantime API saveSetting improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377839"
        },
        {
          "name": "VDB-377839 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377839/cti"
        },
        {
          "name": "CVE-2026-15510 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15510"
        },
        {
          "name": "Submit #846171 | Leantime Project Management System 3.8.0 Improper Authorization",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/846171"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://bytium.com/insights/leantime-3-8-0-broken-access-control"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-12T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-12T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-12T12:58:38.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Leantime API saveSetting improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15510",
    "datePublished": "2026-07-12T22:45:10.120Z",
    "dateReserved": "2026-07-12T05:58:33.430Z",
    "dateUpdated": "2026-07-13T15:56:43.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15509 (GCVE-0-2026-15509)

Vulnerability from cvelistv5 – Published: 2026-07-12 22:30 – Updated: 2026-07-15 15:36
VLAI
Title
Leantime JSON-RPC Endpoint addUser improper authorization
Summary
A vulnerability has been found in Leantime up to 3.8.0. This impacts the function editUser/addUser of the component JSON-RPC Endpoint. The manipulation of the argument role leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/vuln/377838 vdb-entrytechnical-description
https://vuldb.com/vuln/377838/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15509 third-party-advisory
https://vuldb.com/submit/846167 third-party-advisory
https://bytium.com/insights/leantime-priv-escalat… exploit
Impacted products
Vendor Product Version
n/a Leantime Affected: 3.0
Affected: 3.1
Affected: 3.2
Affected: 3.3
Affected: 3.4
Affected: 3.5
Affected: 3.6
Affected: 3.7
Affected: 3.8.0
    cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*
Credits
Jobyer Ahmed (Bytium) suffer (VulDB User) suffer (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15509",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T15:35:51.218638Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T15:36:02.287Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://vuldb.com/submit/846167"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "JSON-RPC Endpoint"
          ],
          "product": "Leantime",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "status": "affected",
              "version": "3.8.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jobyer Ahmed (Bytium)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "suffer (VulDB User)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "suffer (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in Leantime up to 3.8.0. This impacts the function editUser/addUser of the component JSON-RPC Endpoint. The manipulation of the argument role leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T15:23:43.559Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377838 | Leantime JSON-RPC Endpoint addUser improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377838"
        },
        {
          "name": "VDB-377838 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377838/cti"
        },
        {
          "name": "CVE-2026-15509 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15509"
        },
        {
          "name": "Submit #846167 | Leantime Leantime project management system 3.8.0 Privilege Escalation / Improper Authorization",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/846167"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://bytium.com/insights/leantime-priv-escalation-vulnerability-low-priv-to-owner"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-12T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-12T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-14T17:25:41.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Leantime JSON-RPC Endpoint addUser improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15509",
    "datePublished": "2026-07-12T22:30:09.041Z",
    "dateReserved": "2026-07-12T05:58:31.153Z",
    "dateUpdated": "2026-07-15T15:36:02.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15499 (GCVE-0-2026-15499)

Vulnerability from cvelistv5 – Published: 2026-07-12 11:45 – Updated: 2026-07-13 15:18
VLAI
Title
AstrBotDevs AstrBot Scheduled Task cron_tools.py FutureTaskTool.call improper authorization
Summary
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload["note"] results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/vuln/377806 vdb-entrytechnical-description
https://vuldb.com/vuln/377806/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15499 third-party-advisory
https://vuldb.com/submit/844656 third-party-advisory
https://gist.github.com/YLChen-007/2bab96d5bedef7… exploit
Impacted products
Vendor Product Version
AstrBotDevs AstrBot Affected: 4.25.0
Affected: 4.25.1
Affected: 4.25.2
    cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Eric-a (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15499",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T15:18:38.997324Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T15:18:55.453Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Scheduled Task Handler"
          ],
          "product": "AstrBot",
          "vendor": "AstrBotDevs",
          "versions": [
            {
              "status": "affected",
              "version": "4.25.0"
            },
            {
              "status": "affected",
              "version": "4.25.1"
            },
            {
              "status": "affected",
              "version": "4.25.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eric-a (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload[\"note\"] results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-12T11:45:08.034Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377806 | AstrBotDevs AstrBot Scheduled Task cron_tools.py FutureTaskTool.call improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377806"
        },
        {
          "name": "VDB-377806 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377806/cti"
        },
        {
          "name": "CVE-2026-15499 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15499"
        },
        {
          "name": "Submit #844656 | AstrBotDevs AstrBot 4.25.2 Improper Authorization (CWE-285)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/844656"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/YLChen-007/2bab96d5bedef784f90c97009fff8a19"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-11T14:47:00.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "AstrBotDevs AstrBot Scheduled Task cron_tools.py FutureTaskTool.call improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15499",
    "datePublished": "2026-07-12T11:45:08.034Z",
    "dateReserved": "2026-07-11T12:41:55.318Z",
    "dateUpdated": "2026-07-13T15:18:55.453Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15476 (GCVE-0-2026-15476)

Vulnerability from cvelistv5 – Published: 2026-07-12 03:30 – Updated: 2026-07-13 16:08
VLAI
Title
QILING Disk Master Kernel Driver diskbckp.sys access control
Summary
A security vulnerability has been detected in QILING Disk Master 6.0.0.0. The impacted element is an unknown function in the library diskbckp.sys of the component Kernel Driver. Such manipulation leads to improper access controls. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. It is suggested to upgrade the affected component.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
Impacted products
Vendor Product Version
QILING Disk Master Affected: 6.0.0.0
    cpe:2.3:a:qiling:disk_master:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
winslow1984 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15476",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T16:07:58.777377Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T16:08:06.824Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:qiling:disk_master:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Kernel Driver"
          ],
          "product": "Disk Master",
          "vendor": "QILING",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "winslow1984 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in QILING Disk Master 6.0.0.0. The impacted element is an unknown function in the library diskbckp.sys of the component Kernel Driver. Such manipulation leads to improper access controls. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. It is suggested to upgrade the affected component."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4.3,
            "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-12T03:30:08.128Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377781 | QILING Disk Master Kernel Driver diskbckp.sys access control",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377781"
        },
        {
          "name": "VDB-377781 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377781/cti"
        },
        {
          "name": "CVE-2026-15476 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15476"
        },
        {
          "name": "Submit #835610 | QILING Disk Master Kernel Driver diskbckp.sys 6, 0, 0, 0 Local Privilege Escapation",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/835610"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://winslow1984.com/books/cve-collection/page/qiling-disk-master-kernel-driver-diskbckpsys-6-0-0-0-local-privilege-escalation"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.idiskhome.com/download/beta/multi_DiskMaster_Pro_Trial.exe"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-11T11:49:37.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "QILING Disk Master Kernel Driver diskbckp.sys access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15476",
    "datePublished": "2026-07-12T03:30:08.128Z",
    "dateReserved": "2026-07-11T09:44:33.072Z",
    "dateUpdated": "2026-07-13T16:08:06.824Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15475 (GCVE-0-2026-15475)

Vulnerability from cvelistv5 – Published: 2026-07-12 02:15 – Updated: 2026-07-13 14:38
VLAI
Title
MiniTool Partition Wizard Signed Kernel Driver pwdrvio.sys access control
Summary
A weakness has been identified in MiniTool Partition Wizard up to 13.6. The affected element is an unknown function in the library pwdrvio.sys of the component Signed Kernel Driver. This manipulation causes improper access controls. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 13.9 is sufficient to fix this issue. The affected component should be upgraded. The vendor was contacted early about this disclosure.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
Impacted products
Vendor Product Version
MiniTool Partition Wizard Affected: 13.0
Affected: 13.1
Affected: 13.2
Affected: 13.3
Affected: 13.4
Affected: 13.5
Affected: 13.6
Unaffected: 13.9
    cpe:2.3:a:minitool:partition_wizard:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
winslow1984 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15475",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T14:38:17.404499Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T14:38:31.090Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:minitool:partition_wizard:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Signed Kernel Driver"
          ],
          "product": "Partition Wizard",
          "vendor": "MiniTool",
          "versions": [
            {
              "status": "affected",
              "version": "13.0"
            },
            {
              "status": "affected",
              "version": "13.1"
            },
            {
              "status": "affected",
              "version": "13.2"
            },
            {
              "status": "affected",
              "version": "13.3"
            },
            {
              "status": "affected",
              "version": "13.4"
            },
            {
              "status": "affected",
              "version": "13.5"
            },
            {
              "status": "affected",
              "version": "13.6"
            },
            {
              "status": "unaffected",
              "version": "13.9"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "winslow1984 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in MiniTool Partition Wizard up to 13.6. The affected element is an unknown function in the library pwdrvio.sys of the component Signed Kernel Driver. This manipulation causes improper access controls. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 13.9 is sufficient to fix this issue. The affected component should be upgraded. The vendor was contacted early about this disclosure."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4.3,
            "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-12T02:15:07.520Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377780 | MiniTool Partition Wizard Signed Kernel Driver pwdrvio.sys access control",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377780"
        },
        {
          "name": "VDB-377780 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377780/cti"
        },
        {
          "name": "CVE-2026-15475 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15475"
        },
        {
          "name": "Submit #833842 | MiniTool MiniTool Partition Wizard 13.6 Local Privilege Escapation",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/833842"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://winslow1984.com/books/cve-collection/page/minitool-partition-wizard-kernel-driver-pwdrviosys-local-privilege-escalation"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.minitool.com/partition-manager/upgrade-history.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-11T11:46:00.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "MiniTool Partition Wizard Signed Kernel Driver pwdrvio.sys access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15475",
    "datePublished": "2026-07-12T02:15:07.520Z",
    "dateReserved": "2026-07-11T09:40:55.072Z",
    "dateUpdated": "2026-07-13T14:38:31.090Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15474 (GCVE-0-2026-15474)

Vulnerability from cvelistv5 – Published: 2026-07-12 02:00 – Updated: 2026-07-13 18:12
VLAI
Title
Eleveo Call Recording Software audio.jsp improper authorization
Summary
A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an unknown function of the file /callrec/audio.jsp of the component Call Recording Handler. The manipulation of the argument callId results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/vuln/377779 vdb-entrytechnical-description
https://vuldb.com/vuln/377779/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15474 third-party-advisory
https://vuldb.com/submit/797469 third-party-advisory
https://drive.google.com/file/d/14r-7V9dJHuoBPpuS… exploit
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15474",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T18:05:30.196637Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T18:12:46.594Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Call Recording Handler"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an unknown function of the file /callrec/audio.jsp of the component Call Recording Handler. The manipulation of the argument callId results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-12T02:00:08.857Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377779 | Eleveo Call Recording Software audio.jsp improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377779"
        },
        {
          "name": "VDB-377779 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377779/cti"
        },
        {
          "name": "CVE-2026-15474 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15474"
        },
        {
          "name": "Submit #797469 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797469"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://drive.google.com/file/d/14r-7V9dJHuoBPpuSj-puFzujq149Mbry/view?usp=sharing"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-11T11:38:44.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software audio.jsp improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15474",
    "datePublished": "2026-07-12T02:00:08.857Z",
    "dateReserved": "2026-07-11T09:33:28.296Z",
    "dateUpdated": "2026-07-13T18:12:46.594Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15473 (GCVE-0-2026-15473)

Vulnerability from cvelistv5 – Published: 2026-07-12 01:30 – Updated: 2026-07-14 14:34
VLAI
Title
Eleveo Call Recording Software Recorded Calls restoreCallAction.do improper authorization
Summary
A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects some unknown processing of the file /callrec/restoreCallAction.do of the component Recorded Calls Page. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Omar Elshopky (Spark Professional Services) omarelshopky (VulDB User) omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15473",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T14:33:45.844296Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T14:34:01.039Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Recorded Calls Page"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Omar Elshopky (Spark Professional Services)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects some unknown processing of the file /callrec/restoreCallAction.do of the component Recorded Calls Page. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T18:22:55.119Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377778 | Eleveo Call Recording Software Recorded Calls restoreCallAction.do improper authorization",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377778"
        },
        {
          "name": "VDB-377778 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377778/cti"
        },
        {
          "name": "CVE-2026-15473 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15473"
        },
        {
          "name": "Submit #797466 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797466"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/omarelshopky/cves/tree/main/eleveo/call-recording-software/CVE-2026-15473"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-10T00:00:00.000Z",
          "value": "Vendor informed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-13T20:24:57.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software Recorded Calls restoreCallAction.do improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15473",
    "datePublished": "2026-07-12T01:30:08.975Z",
    "dateReserved": "2026-07-11T09:33:25.486Z",
    "dateUpdated": "2026-07-14T14:34:01.039Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15472 (GCVE-0-2026-15472)

Vulnerability from cvelistv5 – Published: 2026-07-12 01:15 – Updated: 2026-07-13 18:22
VLAI
Title
Eleveo Call Recording Software composeEmailAction.do improper authorization
Summary
A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability affects unknown code of the file /callrec/composeEmailAction.do. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Omar Elshopky (Spark Professional Services) omarelshopky (VulDB User) omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15472",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T16:57:59.669879Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T16:58:37.492Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Omar Elshopky (Spark Professional Services)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability affects unknown code of the file /callrec/composeEmailAction.do. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T18:22:36.516Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377777 | Eleveo Call Recording Software composeEmailAction.do improper authorization",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377777"
        },
        {
          "name": "VDB-377777 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377777/cti"
        },
        {
          "name": "CVE-2026-15472 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15472"
        },
        {
          "name": "Submit #797465 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797465"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/omarelshopky/cves/tree/main/eleveo/call-recording-software/CVE-2026-15472"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-10T00:00:00.000Z",
          "value": "Vendor informed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-13T20:24:36.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software composeEmailAction.do improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15472",
    "datePublished": "2026-07-12T01:15:09.958Z",
    "dateReserved": "2026-07-11T09:33:22.603Z",
    "dateUpdated": "2026-07-13T18:22:36.516Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15471 (GCVE-0-2026-15471)

Vulnerability from cvelistv5 – Published: 2026-07-12 01:00 – Updated: 2026-07-13 19:19
VLAI
Title
Eleveo Call Recording Software pci_dss_status.jsp improper authorization
Summary
A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown part of the file /callrec/pci_dss_status.jsp. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Omar Elshopky (Spark Professional Services) omarelshopky (VulDB User) omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15471",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T19:19:03.662595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T19:19:11.777Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://vuldb.com/submit/797464"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Omar Elshopky (Spark Professional Services)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown part of the file /callrec/pci_dss_status.jsp. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T18:22:19.893Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377776 | Eleveo Call Recording Software pci_dss_status.jsp improper authorization",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377776"
        },
        {
          "name": "VDB-377776 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377776/cti"
        },
        {
          "name": "CVE-2026-15471 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15471"
        },
        {
          "name": "Submit #797464 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797464"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/omarelshopky/cves/tree/main/eleveo/call-recording-software/CVE-2026-15471"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-10T00:00:00.000Z",
          "value": "Vendor informed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-13T20:24:20.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software pci_dss_status.jsp improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15471",
    "datePublished": "2026-07-12T01:00:08.434Z",
    "dateReserved": "2026-07-11T09:33:19.930Z",
    "dateUpdated": "2026-07-13T19:19:11.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.