CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
CVE-2026-14794 (GCVE-0-2026-14794)
Vulnerability from cvelistv5 – Published: 2026-07-06 03:45 – Updated: 2026-07-06 13:05 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376388 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376388/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14794 | third-party-advisory |
| https://vuldb.com/submit/850793 | third-party-advisory |
| https://github.com/craftcms/cms/commit/9ee53efc13… | patch |
| https://github.com/craftcms/cms/releases/tag/4.18.1 | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14794",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T13:05:13.735519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T13:05:23.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:craft:cms:*:*:*:*:*:*:*:*"
],
"modules": [
"Charts Endpoint"
],
"product": "CMS",
"vendor": "Craft",
"versions": [
{
"status": "affected",
"version": "4.18.0.0"
},
{
"status": "affected",
"version": "4.18.0.1"
},
{
"status": "unaffected",
"version": "4.18.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "geochen (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T03:45:09.182Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376388 | Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376388"
},
{
"name": "VDB-376388 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376388/cti"
},
{
"name": "CVE-2026-14794 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14794"
},
{
"name": "Submit #850793 | Craftcms CMS 5.10.1 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/850793"
},
{
"tags": [
"patch"
],
"url": "https://github.com/craftcms/cms/commit/9ee53efc1314e6aba32771c66a13e072a246f4ce"
},
{
"tags": [
"patch"
],
"url": "https://github.com/craftcms/cms/releases/tag/4.18.1"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-05T20:34:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14794",
"datePublished": "2026-07-06T03:45:09.182Z",
"dateReserved": "2026-07-05T18:29:29.737Z",
"dateUpdated": "2026-07-06T13:05:23.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14792 (GCVE-0-2026-14792)
Vulnerability from cvelistv5 – Published: 2026-07-06 03:00 – Updated: 2026-07-07 02:59 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376386 | vdb-entry |
| https://vuldb.com/vuln/376386/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14792 | third-party-advisory |
| https://vuldb.com/submit/850791 | third-party-advisory |
| https://github.com/formbricks/formbricks/pull/8094 | issue-trackingpatch |
| https://github.com/formbricks/formbricks/commit/a… | patch |
| https://github.com/formbricks/formbricks/releases… | patch |
| https://github.com/formbricks/formbricks/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Formbricks |
Affected:
5.0.0
Unaffected: 5.1.0-rc.1 cpe:2.3:a:formbricks:formbricks:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T02:59:28.136460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T02:59:38.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:formbricks:formbricks:*:*:*:*:*:*:*:*"
],
"modules": [
"Survey Handler"
],
"product": "Formbricks",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "5.0.0"
},
{
"status": "unaffected",
"version": "5.1.0-rc.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "geochen (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. Upgrading to version 5.1.0-rc.1 will fix this issue. The identifier of the patch is af6023b5ac3b030ffcea24fac799f76f3e3512c6. You should upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.4,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T03:00:11.234Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376386 | Formbricks Survey actions.ts access control",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/376386"
},
{
"name": "VDB-376386 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376386/cti"
},
{
"name": "CVE-2026-14792 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14792"
},
{
"name": "Submit #850791 | Formbricks 5.0.0 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/850791"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/formbricks/formbricks/pull/8094"
},
{
"tags": [
"patch"
],
"url": "https://github.com/formbricks/formbricks/commit/af6023b5ac3b030ffcea24fac799f76f3e3512c6"
},
{
"tags": [
"patch"
],
"url": "https://github.com/formbricks/formbricks/releases/tag/5.1.0-rc.1"
},
{
"tags": [
"product"
],
"url": "https://github.com/formbricks/formbricks/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-05T20:26:23.000Z",
"value": "VulDB entry last update"
}
],
"title": "Formbricks Survey actions.ts access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14792",
"datePublished": "2026-07-06T03:00:11.234Z",
"dateReserved": "2026-07-05T18:21:20.337Z",
"dateUpdated": "2026-07-07T02:59:38.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14778 (GCVE-0-2026-14778)
Vulnerability from cvelistv5 – Published: 2026-07-05 23:30 – Updated: 2026-07-06 13:15 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376368 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376368/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14778 | third-party-advisory |
| https://vuldb.com/submit/850695 | third-party-advisory |
| https://github.com/nuiifornet/A033/blob/main/OE-L… | exploit |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Onlne Examination & Learning Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:onlne_examination_learning_management_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14778",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T13:15:19.103122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T13:15:27.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:onlne_examination_learning_management_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Enrollment Management"
],
"product": "Onlne Examination \u0026 Learning Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fklov (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in SourceCodester Onlne Examination \u0026 Learning Management System 1.0. This affects an unknown part of the file /ajax_enroll.php of the component Enrollment Management. The manipulation of the argument student_id/schedule_id/action leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The name of the affected product appears to have a typo in it."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T23:30:09.071Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376368 | SourceCodester Onlne Examination \u0026 Learning Management System Enrollment Management ajax_enroll.php improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376368"
},
{
"name": "VDB-376368 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376368/cti"
},
{
"name": "CVE-2026-14778 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14778"
},
{
"name": "Submit #850695 | SourceCodester Online Examination \u0026 Learning Management System 1.0 Missing Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/850695"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/nuiifornet/A033/blob/main/OE-LMS-IDOR-ajax_enroll.md"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-05T06:13:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Onlne Examination \u0026 Learning Management System Enrollment Management ajax_enroll.php improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14778",
"datePublished": "2026-07-05T23:30:09.071Z",
"dateReserved": "2026-07-05T04:08:21.195Z",
"dateUpdated": "2026-07-06T13:15:27.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14719 (GCVE-0-2026-14719)
Vulnerability from cvelistv5 – Published: 2026-07-05 07:00 – Updated: 2026-07-06 13:28 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376307 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376307/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14719 | third-party-advisory |
| https://vuldb.com/submit/847515 | third-party-advisory |
| https://pastebin.com/Z4i5MGxk | exploit |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Onlne Examination & Learning Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:onlne_examination_learning_management_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14719",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T13:28:23.055738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T13:28:43.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:onlne_examination_learning_management_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Registration Endpoint"
],
"product": "Onlne Examination \u0026 Learning Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ameenkbrd (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in SourceCodester Onlne Examination \u0026 Learning Management System 1.0. The impacted element is an unknown function of the file register.php of the component Registration Endpoint. Executing a manipulation of the argument role can lead to improper privilege management. The attack can be executed remotely. The exploit has been published and may be used. The name of the affected product appears to have a typo in it."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T07:00:09.264Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376307 | SourceCodester Onlne Examination \u0026 Learning Management System Registration Endpoint register.php privileges management",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376307"
},
{
"name": "VDB-376307 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376307/cti"
},
{
"name": "CVE-2026-14719 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14719"
},
{
"name": "Submit #847515 | SourceCodester (ampoldev) Online Examination \u0026 LMS (CICT Portal) by ampoldev 2026-05-25 Improper Privilege Management",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/847515"
},
{
"tags": [
"exploit"
],
"url": "https://pastebin.com/Z4i5MGxk"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-04T10:00:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Onlne Examination \u0026 Learning Management System Registration Endpoint register.php privileges management"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14719",
"datePublished": "2026-07-05T07:00:09.264Z",
"dateReserved": "2026-07-04T07:55:32.396Z",
"dateUpdated": "2026-07-06T13:28:43.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14693 (GCVE-0-2026-14693)
Vulnerability from cvelistv5 – Published: 2026-07-05 02:15 – Updated: 2026-07-06 18:37 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376289 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376289/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14693 | third-party-advisory |
| https://vuldb.com/submit/846833 | third-party-advisory |
| https://github.com/lee945/cve/issues/4 | exploitissue-tracking |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Multi-Vendor Online Grocery Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:multi-vendor_online_grocery_management_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14693",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T18:37:19.227868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T18:37:23.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/846833"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:multi-vendor_online_grocery_management_system:*:*:*:*:*:*:*:*"
],
"product": "Multi-Vendor Online Grocery Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "cHr1s (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. Affected by this vulnerability is the function cancel_order of the file classes/Master.php. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T02:15:09.034Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376289 | SourceCodester Multi-Vendor Online Grocery Management System Master.php cancel_order improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376289"
},
{
"name": "VDB-376289 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376289/cti"
},
{
"name": "CVE-2026-14693 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14693"
},
{
"name": "Submit #846833 | SourceCodester Multi-Vendor Online Grocery Management System 1.0 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/846833"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/lee945/cve/issues/4"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-04T07:04:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Multi-Vendor Online Grocery Management System Master.php cancel_order improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14693",
"datePublished": "2026-07-05T02:15:09.034Z",
"dateReserved": "2026-07-04T04:59:01.755Z",
"dateUpdated": "2026-07-06T18:37:23.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14690 (GCVE-0-2026-14690)
Vulnerability from cvelistv5 – Published: 2026-07-05 01:30 – Updated: 2026-07-06 16:50 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376286 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376286/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14690 | third-party-advisory |
| https://vuldb.com/submit/846830 | third-party-advisory |
| https://github.com/lee945/cve/issues/1 | exploitissue-tracking |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Multi-Vendor Online Grocery Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:multi-vendor_online_grocery_management_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14690",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T16:46:00.838846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T16:50:53.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:multi-vendor_online_grocery_management_system:*:*:*:*:*:*:*:*"
],
"product": "Multi-Vendor Online Grocery Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "cHr1s (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function save_users of the file classes/Users.php. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T01:30:09.372Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376286 | SourceCodester Multi-Vendor Online Grocery Management System Users.php save_users improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376286"
},
{
"name": "VDB-376286 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376286/cti"
},
{
"name": "CVE-2026-14690 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14690"
},
{
"name": "Submit #846830 | SourceCodester Multi-Vendor Online Grocery Management System 1.0 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/846830"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/lee945/cve/issues/1"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-04T07:04:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Multi-Vendor Online Grocery Management System Users.php save_users improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14690",
"datePublished": "2026-07-05T01:30:09.372Z",
"dateReserved": "2026-07-04T04:58:52.574Z",
"dateUpdated": "2026-07-06T16:50:53.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13591 (GCVE-0-2026-13591)
Vulnerability from cvelistv5 – Published: 2026-06-29 17:00 – Updated: 2026-06-29 17:30 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374594 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374594/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13591 | third-party-advisory |
| https://vuldb.com/submit/844480 | third-party-advisory |
| https://github.com/DeepMyst/Mysti/issues/42 | exploitissue-tracking |
| https://github.com/DeepMyst/Mysti/pull/43 | issue-trackingpatch |
| https://github.com/DeepMyst/Mysti/commit/9b4aff0f… | patch |
| https://github.com/DeepMyst/Mysti/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13591",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T17:30:38.595087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T17:30:50.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:deepmyst:mysti:*:*:*:*:*:*:*:*"
],
"modules": [
"Contact Tracking"
],
"product": "Mysti",
"vendor": "DeepMyst",
"versions": [
{
"status": "affected",
"version": "0.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dem0000 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be used for attacks. Patch name: 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48. It is suggested to install a patch to address this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T17:00:10.844Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374594 | DeepMyst Mysti Contact Tracking ChannelBridge.ts _isTrackedConversation improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374594"
},
{
"name": "VDB-374594 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374594/cti"
},
{
"name": "CVE-2026-13591 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13591"
},
{
"name": "Submit #844480 | DeepMyst Mysti 0.4.0 Authorization Bypass / Identity Spoofing",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/844480"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/DeepMyst/Mysti/issues/42"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/DeepMyst/Mysti/pull/43"
},
{
"tags": [
"patch"
],
"url": "https://github.com/DeepMyst/Mysti/commit/9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48"
},
{
"tags": [
"product"
],
"url": "https://github.com/DeepMyst/Mysti/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-29T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-29T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-29T06:56:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "DeepMyst Mysti Contact Tracking ChannelBridge.ts _isTrackedConversation improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13591",
"datePublished": "2026-06-29T17:00:10.844Z",
"dateReserved": "2026-06-29T04:51:32.852Z",
"dateUpdated": "2026-06-29T17:30:50.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13568 (GCVE-0-2026-13568)
Vulnerability from cvelistv5 – Published: 2026-06-29 12:45 – Updated: 2026-07-01 14:00 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374576 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374576/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13568 | third-party-advisory |
| https://vuldb.com/submit/844257 | third-party-advisory |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Inventory Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:inventory_management_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13568",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T13:59:50.632930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:00:47.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/844257"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:inventory_management_system:*:*:*:*:*:*:*:*"
],
"modules": [
"User Registration Endpoint"
],
"product": "Inventory Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ayush8816 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB Vulnerability Moderation Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in SourceCodester Inventory Management System 1.0. This vulnerability affects unknown code of the file /api/users_handler.php of the component User Registration Endpoint. This manipulation of the argument role causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T12:45:07.960Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374576 | SourceCodester Inventory Management System User Registration Endpoint users_handler.php access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374576"
},
{
"name": "VDB-374576 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374576/cti"
},
{
"name": "CVE-2026-13568 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13568"
},
{
"name": "Submit #844257 | SourceCodester Inventory Management System NA Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/844257"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T20:27:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Inventory Management System User Registration Endpoint users_handler.php access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13568",
"datePublished": "2026-06-29T12:45:07.960Z",
"dateReserved": "2026-06-28T18:22:52.356Z",
"dateUpdated": "2026-07-01T14:00:47.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13544 (GCVE-0-2026-13544)
Vulnerability from cvelistv5 – Published: 2026-06-29 06:45 – Updated: 2026-06-29 13:48| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374552 | vdb-entry |
| https://vuldb.com/vuln/374552/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13544 | third-party-advisory |
| https://vuldb.com/submit/842582 | third-party-advisory |
| https://vuldb.com/submit/842595 | third-party-advisory |
| https://vuldb.com/submit/842602 | third-party-advisory |
| https://github.com/liufee/cms/issues/88 | issue-tracking |
| https://github.com/liufee/cms/issues/89 | exploitissue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13544",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:48:47.863478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:48:58.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:feehi:cms:*:*:*:*:*:*:*:*"
],
"modules": [
"API"
],
"product": "CMS",
"vendor": "Feehi",
"versions": [
{
"status": "affected",
"version": "2.1.0"
},
{
"status": "affected",
"version": "2.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "byname (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T06:45:07.860Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374552 | Feehi CMS API users access control",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/374552"
},
{
"name": "VDB-374552 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374552/cti"
},
{
"name": "CVE-2026-13544 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13544"
},
{
"name": "Submit #842582 | liufee cms 2.1.1 Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/842582"
},
{
"name": "Submit #842595 | liufee cms 2.1.1 Improper Privilege Management (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/842595"
},
{
"name": "Submit #842602 | liufee cms 2.1.1 Authorization Bypass (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/842602"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/liufee/cms/issues/88"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/liufee/cms/issues/89"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T13:02:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "Feehi CMS API users access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13544",
"datePublished": "2026-06-29T06:45:07.860Z",
"dateReserved": "2026-06-28T10:15:22.055Z",
"dateUpdated": "2026-06-29T13:48:58.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13524 (GCVE-0-2026-13524)
Vulnerability from cvelistv5 – Published: 2026-06-29 01:45 – Updated: 2026-06-30 17:25| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374532 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374532/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13524 | third-party-advisory |
| https://vuldb.com/submit/840175 | third-party-advisory |
| https://github.com/CherryHQ/cherry-studio/issues/15372 | exploitissue-tracking |
| https://github.com/CherryHQ/cherry-studio/pull/15388 | issue-trackingpatch |
| https://github.com/CherryHQ/cherry-studio/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
1.9.0
Affected: 1.9.1 Affected: 1.9.2 Affected: 1.9.3 Affected: 1.9.4 Affected: 1.9.5 Affected: 1.9.6 cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13524",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T17:25:37.210636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T17:25:56.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/840175"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:cherryhq:cherry-studio:*:*:*:*:*:*:*:*"
],
"modules": [
"MCP OAuth Local Callback Server"
],
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "1.9.0"
},
{
"status": "affected",
"version": "1.9.1"
},
{
"status": "affected",
"version": "1.9.2"
},
{
"status": "affected",
"version": "1.9.3"
},
{
"status": "affected",
"version": "1.9.4"
},
{
"status": "affected",
"version": "1.9.5"
},
{
"status": "affected",
"version": "1.9.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dem0000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T01:45:08.988Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374532 | CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374532"
},
{
"name": "VDB-374532 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374532/cti"
},
{
"name": "CVE-2026-13524 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13524"
},
{
"name": "Submit #840175 | CherryHQ cherry-studio 1.9.6 Authorization Bypass / Login CSRF",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/840175"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/CherryHQ/cherry-studio/issues/15372"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/CherryHQ/cherry-studio/pull/15388"
},
{
"tags": [
"product"
],
"url": "https://github.com/CherryHQ/cherry-studio/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T09:55:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13524",
"datePublished": "2026-06-29T01:45:08.988Z",
"dateReserved": "2026-06-28T07:50:21.081Z",
"dateUpdated": "2026-06-30T17:25:56.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.