Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-266
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CVE-2026-11336 (GCVE-0-2026-11336)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:00 – Updated: 2026-06-09 16:02
VLAI
Title
tittuvarghese CollegeManagementSystem Admin admin_page.php improper authorization
Summary
A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/368874 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/368874/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11336 | third-party-advisory |
| https://vuldb.com/submit/832582 | third-party-advisory |
| https://github.com/tittuvarghese/CollegeManagemen… | exploitissue-tracking |
| https://github.com/tittuvarghese/CollegeManagemen… | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tittuvarghese | CollegeManagementSystem |
Affected:
3e476335cfbfb9a049e09f474c7ec885f69a9df3
Affected: a38852979f7e27ae67b610dce5979500ef8ebe01 cpe:2.3:a:tittuvarghese:collegemanagementsystem:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11336",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T16:02:22.407484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:02:40.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/832582"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tittuvarghese:collegemanagementsystem:*:*:*:*:*:*:*:*"
],
"modules": [
"Admin Interface"
],
"product": "CollegeManagementSystem",
"vendor": "tittuvarghese",
"versions": [
{
"status": "affected",
"version": "3e476335cfbfb9a049e09f474c7ec885f69a9df3"
},
{
"status": "affected",
"version": "a38852979f7e27ae67b610dce5979500ef8ebe01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wea5e1 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:00:16.287Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-368874 | tittuvarghese CollegeManagementSystem Admin admin_page.php improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/368874"
},
{
"name": "VDB-368874 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/368874/cti"
},
{
"name": "CVE-2026-11336 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11336"
},
{
"name": "Submit #832582 | tittuvarghese CollegeManagementSystem 1.0 Privilege Escalation",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/832582"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/tittuvarghese/CollegeManagementSystem/issues/5"
},
{
"tags": [
"product"
],
"url": "https://github.com/tittuvarghese/CollegeManagementSystem/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-05T10:15:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "tittuvarghese CollegeManagementSystem Admin admin_page.php improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11336",
"datePublished": "2026-06-05T15:00:16.287Z",
"dateReserved": "2026-06-05T08:10:07.777Z",
"dateUpdated": "2026-06-09T16:02:40.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1141 (GCVE-0-2026-1141)
Vulnerability from cvelistv5 – Published: 2026-01-19 06:02 – Updated: 2026-02-23 08:42 X_Freeware
VLAI
Title
PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization
Summary
A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.341733 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.341733 | signaturepermissions-required |
| https://vuldb.com/?submit.735483 | third-party-advisory |
| https://vuldb.com/?submit.736668 | third-party-advisory |
| https://github.com/Asim-QAZi/BrokenAccessControl-… | exploit |
| https://phpgurukul.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PHPGurukul | News Portal |
Affected:
1.0
cpe:2.3:a:phpgurukul:news_portal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1141",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T21:26:45.920820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T21:26:51.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:phpgurukul:news_portal:*:*:*:*:*:*:*:*"
],
"modules": [
"Add Sub-Admin Page"
],
"product": "News Portal",
"vendor": "PHPGurukul",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "moasim (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T08:42:58.178Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-341733 | PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.341733"
},
{
"name": "VDB-341733 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.341733"
},
{
"name": "Submit #735483 | PHPGurukul News Portal Project in PHP and MySql 1.0 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.735483"
},
{
"name": "Submit #736668 | PHPGurukul News Portal v1.0 Authorization Bypass (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.736668"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul"
},
{
"tags": [
"product"
],
"url": "https://phpgurukul.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-18T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-28T02:27:10.000Z",
"value": "VulDB entry last update"
}
],
"title": "PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1141",
"datePublished": "2026-01-19T06:02:07.574Z",
"dateReserved": "2026-01-18T07:36:36.414Z",
"dateUpdated": "2026-02-23T08:42:58.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11438 (GCVE-0-2026-11438)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:00 – Updated: 2026-06-08 15:34
VLAI
Title
theonedev projects improper authorization
Summary
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369018 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369018/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11438 | third-party-advisory |
| https://vuldb.com/submit/822944 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:34:41.417873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:34:51.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:00:14.794Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369018 | theonedev projects improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369018"
},
{
"name": "VDB-369018 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369018/cti"
},
{
"name": "CVE-2026-11438 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11438"
},
{
"name": "Submit #822944 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822944"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev projects improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11438",
"datePublished": "2026-06-06T17:00:14.794Z",
"dateReserved": "2026-06-05T22:21:00.483Z",
"dateUpdated": "2026-06-08T15:34:51.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11439 (GCVE-0-2026-11439)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:15 – Updated: 2026-06-08 15:34
VLAI
Title
theonedev Parent Project projects improper authorization
Summary
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369019 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369019/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11439 | third-party-advisory |
| https://vuldb.com/submit/822955 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:34:09.209820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:34:19.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"Parent Project Handler"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:15:08.905Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369019 | theonedev Parent Project projects improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369019"
},
{
"name": "VDB-369019 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369019/cti"
},
{
"name": "CVE-2026-11439 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11439"
},
{
"name": "Submit #822955 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822955"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev Parent Project projects improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11439",
"datePublished": "2026-06-06T17:15:08.905Z",
"dateReserved": "2026-06-05T22:21:02.958Z",
"dateUpdated": "2026-06-08T15:34:19.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11440 (GCVE-0-2026-11440)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:30 – Updated: 2026-06-08 16:30
VLAI
Title
theonedev REST API default-branch improper authorization
Summary
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369020 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369020/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11440 | third-party-advisory |
| https://vuldb.com/submit/822956 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11440",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T16:30:36.858335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:30:48.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"REST API"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:30:11.510Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369020 | theonedev REST API default-branch improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369020"
},
{
"name": "VDB-369020 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369020/cti"
},
{
"name": "CVE-2026-11440 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11440"
},
{
"name": "Submit #822956 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822956"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev REST API default-branch improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11440",
"datePublished": "2026-06-06T17:30:11.510Z",
"dateReserved": "2026-06-05T22:21:05.442Z",
"dateUpdated": "2026-06-08T16:30:48.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11441 (GCVE-0-2026-11441)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:45 – Updated: 2026-06-08 16:33
VLAI
Title
theonedev Pull Request issues canAccessIssue improper authorization
Summary
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369021 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369021/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11441 | third-party-advisory |
| https://vuldb.com/submit/822957 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11441",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T14:18:20.406637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:33:38.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"Pull Request Handler"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:45:10.650Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369021 | theonedev Pull Request issues canAccessIssue improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369021"
},
{
"name": "VDB-369021 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369021/cti"
},
{
"name": "CVE-2026-11441 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11441"
},
{
"name": "Submit #822957 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822957"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev Pull Request issues canAccessIssue improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11441",
"datePublished": "2026-06-06T17:45:10.650Z",
"dateReserved": "2026-06-05T22:21:08.343Z",
"dateUpdated": "2026-06-08T16:33:38.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11462 (GCVE-0-2026-11462)
Vulnerability from cvelistv5 – Published: 2026-06-07 22:00 – Updated: 2026-06-08 12:15 X_Open Source
VLAI
Title
Chengdu Everbrite Network Technology BeikeShop Stripe Plugin StripeController.php callback improper authorization
Summary
A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369082 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369082/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11462 | third-party-advisory |
| https://vuldb.com/submit/831466 | third-party-advisory |
| https://github.com/nuiifornet/BeikeShop-Vulnerabi… | exploit |
| https://github.com/beikeshop/beikeshop/commit/671… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Chengdu Everbrite Network Technology | BeikeShop |
Affected:
1.6.0.0
Affected: 1.6.0.1 Affected: 1.6.0.2 Affected: 1.6.0.3 Affected: 1.6.0.4 Affected: 1.6.0.5 Affected: 1.6.0.6 Affected: 1.6.0.7 Affected: 1.6.0.8 Affected: 1.6.0.9 Affected: 1.6.0.10 Affected: 1.6.0.11 Affected: 1.6.0.12 Affected: 1.6.0.13 Affected: 1.6.0.14 Affected: 1.6.0.15 Affected: 1.6.0.16 Affected: 1.6.0.17 Affected: 1.6.0.18 Affected: 1.6.0.19 Affected: 1.6.0.20 Affected: 1.6.0.21 Affected: 1.6.0.22 cpe:2.3:a:chengdu_everbrite_network_technology:beikeshop:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11462",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T11:10:10.863921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T12:15:15.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:chengdu_everbrite_network_technology:beikeshop:*:*:*:*:*:*:*:*"
],
"modules": [
"Stripe Plugin"
],
"product": "BeikeShop",
"vendor": "Chengdu Everbrite Network Technology",
"versions": [
{
"status": "affected",
"version": "1.6.0.0"
},
{
"status": "affected",
"version": "1.6.0.1"
},
{
"status": "affected",
"version": "1.6.0.2"
},
{
"status": "affected",
"version": "1.6.0.3"
},
{
"status": "affected",
"version": "1.6.0.4"
},
{
"status": "affected",
"version": "1.6.0.5"
},
{
"status": "affected",
"version": "1.6.0.6"
},
{
"status": "affected",
"version": "1.6.0.7"
},
{
"status": "affected",
"version": "1.6.0.8"
},
{
"status": "affected",
"version": "1.6.0.9"
},
{
"status": "affected",
"version": "1.6.0.10"
},
{
"status": "affected",
"version": "1.6.0.11"
},
{
"status": "affected",
"version": "1.6.0.12"
},
{
"status": "affected",
"version": "1.6.0.13"
},
{
"status": "affected",
"version": "1.6.0.14"
},
{
"status": "affected",
"version": "1.6.0.15"
},
{
"status": "affected",
"version": "1.6.0.16"
},
{
"status": "affected",
"version": "1.6.0.17"
},
{
"status": "affected",
"version": "1.6.0.18"
},
{
"status": "affected",
"version": "1.6.0.19"
},
{
"status": "affected",
"version": "1.6.0.20"
},
{
"status": "affected",
"version": "1.6.0.21"
},
{
"status": "affected",
"version": "1.6.0.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fklov (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-07T22:00:13.496Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369082 | Chengdu Everbrite Network Technology BeikeShop Stripe Plugin StripeController.php callback improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369082"
},
{
"name": "VDB-369082 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369082/cti"
},
{
"name": "CVE-2026-11462 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11462"
},
{
"name": "Submit #831466 | BeikeShop 1.6.0 Design/Logic Flaw",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/831466"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/nuiifornet/BeikeShop-Vulnerability/blob/main/README.md"
},
{
"tags": [
"patch"
],
"url": "https://github.com/beikeshop/beikeshop/commit/6719e0fc690ea0a998452092862e0f0a17c65968"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T09:37:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "Chengdu Everbrite Network Technology BeikeShop Stripe Plugin StripeController.php callback improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11462",
"datePublished": "2026-06-07T22:00:13.496Z",
"dateReserved": "2026-06-07T07:32:23.691Z",
"dateUpdated": "2026-06-08T12:15:15.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11466 (GCVE-0-2026-11466)
Vulnerability from cvelistv5 – Published: 2026-06-07 23:00 – Updated: 2026-06-08 13:44
VLAI
Title
zilliztech deep-searcher collection_router.py CollectionRouter.invoke access control
Summary
A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369086 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369086/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11466 | third-party-advisory |
| https://vuldb.com/submit/833652 | third-party-advisory |
| https://github.com/zilliztech/deep-searcher/issues/267 | exploitissue-tracking |
| https://github.com/zilliztech/deep-searcher/pull/268 | issue-trackingpatch |
| https://github.com/zilliztech/deep-searcher/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zilliztech | deep-searcher |
Affected:
0.0.1
Affected: 0.0.2 cpe:2.3:a:zilliztech:deep-searcher:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11466",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:44:14.044854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:44:25.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zilliztech:deep-searcher:*:*:*:*:*:*:*:*"
],
"product": "deep-searcher",
"vendor": "zilliztech",
"versions": [
{
"status": "affected",
"version": "0.0.1"
},
{
"status": "affected",
"version": "0.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-07T23:00:15.431Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369086 | zilliztech deep-searcher collection_router.py CollectionRouter.invoke access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369086"
},
{
"name": "VDB-369086 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369086/cti"
},
{
"name": "CVE-2026-11466 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11466"
},
{
"name": "Submit #833652 | zilliztech deep-searcher 0.0.2 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833652"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zilliztech/deep-searcher/issues/267"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/zilliztech/deep-searcher/pull/268"
},
{
"tags": [
"product"
],
"url": "https://github.com/zilliztech/deep-searcher/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T11:25:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "zilliztech deep-searcher collection_router.py CollectionRouter.invoke access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11466",
"datePublished": "2026-06-07T23:00:15.431Z",
"dateReserved": "2026-06-07T09:20:16.327Z",
"dateUpdated": "2026-06-08T13:44:25.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11476 (GCVE-0-2026-11476)
Vulnerability from cvelistv5 – Published: 2026-06-08 01:30 – Updated: 2026-06-08 13:02
VLAI
Title
Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization
Summary
A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369096 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369096/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11476 | third-party-advisory |
| https://vuldb.com/submit/833945 | third-party-advisory |
| https://github.com/Kushan2k/student-management-sy… | exploitissue-tracking |
| https://github.com/Kushan2k/student-management-system/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kushan2k | student-management-system |
Affected:
f16a4ceaddd6729c4b306ed4641cda3176c1ef2a
cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:02:49.358440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:02:59.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:*"
],
"modules": [
"Profile Update Endpoint"
],
"product": "student-management-system",
"vendor": "Kushan2k",
"versions": [
{
"status": "affected",
"version": "f16a4ceaddd6729c4b306ed4641cda3176c1ef2a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Pr0x1ma (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T01:30:09.326Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369096 | Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369096"
},
{
"name": "VDB-369096 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369096/cti"
},
{
"name": "CVE-2026-11476 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11476"
},
{
"name": "Submit #833945 | Kushan2k student-management-system 1.0 Unauthenticated Admin Profile Update Endpoint",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833945"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Kushan2k/student-management-system/issues/3"
},
{
"tags": [
"product"
],
"url": "https://github.com/Kushan2k/student-management-system/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T11:43:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11476",
"datePublished": "2026-06-08T01:30:09.326Z",
"dateReserved": "2026-06-07T09:37:52.667Z",
"dateUpdated": "2026-06-08T13:02:59.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11492 (GCVE-0-2026-11492)
Vulnerability from cvelistv5 – Published: 2026-06-08 05:30 – Updated: 2026-06-08 13:00
VLAI
Title
D-Link DIR-823G vsftpd vsftpd.conf least privilege violation
Summary
A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369112 | vdb-entry |
| https://vuldb.com/vuln/369112/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11492 | third-party-advisory |
| https://vuldb.com/submit/834816 | third-party-advisory |
| https://www.notion.so/D-Link-DIR823G-V1-0-2B05_20… | exploit |
| https://www.dlink.com/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11492",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:00:26.469301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:00:43.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:h:d-link:dir-823g:*:*:*:*:*:*:*:*"
],
"modules": [
"vsftpd"
],
"product": "DIR-823G",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "1.0.2B05"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L-14 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T05:30:09.936Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369112 | D-Link DIR-823G vsftpd vsftpd.conf least privilege violation",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/369112"
},
{
"name": "VDB-369112 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369112/cti"
},
{
"name": "CVE-2026-11492 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11492"
},
{
"name": "Submit #834816 | D-Link DIR823G V1.0.2B05_20181207 Misconfiguration",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834816"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/D-Link-DIR823G-V1-0-2B05_20181207-3671f5ba989080ac97fdc36d2fb5e57d?source=copy_link"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T12:21:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DIR-823G vsftpd vsftpd.conf least privilege violation"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11492",
"datePublished": "2026-06-08T05:30:09.936Z",
"dateReserved": "2026-06-07T10:16:15.110Z",
"dateUpdated": "2026-06-08T13:00:43.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-1
Phases: Architecture and Design, Operation
Description:
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.