CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
CVE-2026-11476 (GCVE-0-2026-11476)
Vulnerability from cvelistv5 – Published: 2026-06-08 01:30 – Updated: 2026-06-08 13:02| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369096 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369096/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11476 | third-party-advisory |
| https://vuldb.com/submit/833945 | third-party-advisory |
| https://github.com/Kushan2k/student-management-sy… | exploitissue-tracking |
| https://github.com/Kushan2k/student-management-system/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| Kushan2k | student-management-system |
Affected:
f16a4ceaddd6729c4b306ed4641cda3176c1ef2a
cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:02:49.358440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:02:59.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:*"
],
"modules": [
"Profile Update Endpoint"
],
"product": "student-management-system",
"vendor": "Kushan2k",
"versions": [
{
"status": "affected",
"version": "f16a4ceaddd6729c4b306ed4641cda3176c1ef2a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Pr0x1ma (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T01:30:09.326Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369096 | Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369096"
},
{
"name": "VDB-369096 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369096/cti"
},
{
"name": "CVE-2026-11476 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11476"
},
{
"name": "Submit #833945 | Kushan2k student-management-system 1.0 Unauthenticated Admin Profile Update Endpoint",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833945"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Kushan2k/student-management-system/issues/3"
},
{
"tags": [
"product"
],
"url": "https://github.com/Kushan2k/student-management-system/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T11:43:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11476",
"datePublished": "2026-06-08T01:30:09.326Z",
"dateReserved": "2026-06-07T09:37:52.667Z",
"dateUpdated": "2026-06-08T13:02:59.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11466 (GCVE-0-2026-11466)
Vulnerability from cvelistv5 – Published: 2026-06-07 23:00 – Updated: 2026-06-08 13:44| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369086 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369086/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11466 | third-party-advisory |
| https://vuldb.com/submit/833652 | third-party-advisory |
| https://github.com/zilliztech/deep-searcher/issues/267 | exploitissue-tracking |
| https://github.com/zilliztech/deep-searcher/pull/268 | issue-trackingpatch |
| https://github.com/zilliztech/deep-searcher/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| zilliztech | deep-searcher |
Affected:
0.0.1
Affected: 0.0.2 cpe:2.3:a:zilliztech:deep-searcher:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11466",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:44:14.044854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:44:25.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zilliztech:deep-searcher:*:*:*:*:*:*:*:*"
],
"product": "deep-searcher",
"vendor": "zilliztech",
"versions": [
{
"status": "affected",
"version": "0.0.1"
},
{
"status": "affected",
"version": "0.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-07T23:00:15.431Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369086 | zilliztech deep-searcher collection_router.py CollectionRouter.invoke access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369086"
},
{
"name": "VDB-369086 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369086/cti"
},
{
"name": "CVE-2026-11466 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11466"
},
{
"name": "Submit #833652 | zilliztech deep-searcher 0.0.2 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833652"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zilliztech/deep-searcher/issues/267"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/zilliztech/deep-searcher/pull/268"
},
{
"tags": [
"product"
],
"url": "https://github.com/zilliztech/deep-searcher/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T11:25:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "zilliztech deep-searcher collection_router.py CollectionRouter.invoke access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11466",
"datePublished": "2026-06-07T23:00:15.431Z",
"dateReserved": "2026-06-07T09:20:16.327Z",
"dateUpdated": "2026-06-08T13:44:25.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11462 (GCVE-0-2026-11462)
Vulnerability from cvelistv5 – Published: 2026-06-07 22:00 – Updated: 2026-06-08 12:15 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369082 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369082/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11462 | third-party-advisory |
| https://vuldb.com/submit/831466 | third-party-advisory |
| https://github.com/nuiifornet/BeikeShop-Vulnerabi… | exploit |
| https://github.com/beikeshop/beikeshop/commit/671… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| Chengdu Everbrite Network Technology | BeikeShop |
Affected:
1.6.0.0
Affected: 1.6.0.1 Affected: 1.6.0.2 Affected: 1.6.0.3 Affected: 1.6.0.4 Affected: 1.6.0.5 Affected: 1.6.0.6 Affected: 1.6.0.7 Affected: 1.6.0.8 Affected: 1.6.0.9 Affected: 1.6.0.10 Affected: 1.6.0.11 Affected: 1.6.0.12 Affected: 1.6.0.13 Affected: 1.6.0.14 Affected: 1.6.0.15 Affected: 1.6.0.16 Affected: 1.6.0.17 Affected: 1.6.0.18 Affected: 1.6.0.19 Affected: 1.6.0.20 Affected: 1.6.0.21 Affected: 1.6.0.22 cpe:2.3:a:chengdu_everbrite_network_technology:beikeshop:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11462",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T11:10:10.863921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T12:15:15.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:chengdu_everbrite_network_technology:beikeshop:*:*:*:*:*:*:*:*"
],
"modules": [
"Stripe Plugin"
],
"product": "BeikeShop",
"vendor": "Chengdu Everbrite Network Technology",
"versions": [
{
"status": "affected",
"version": "1.6.0.0"
},
{
"status": "affected",
"version": "1.6.0.1"
},
{
"status": "affected",
"version": "1.6.0.2"
},
{
"status": "affected",
"version": "1.6.0.3"
},
{
"status": "affected",
"version": "1.6.0.4"
},
{
"status": "affected",
"version": "1.6.0.5"
},
{
"status": "affected",
"version": "1.6.0.6"
},
{
"status": "affected",
"version": "1.6.0.7"
},
{
"status": "affected",
"version": "1.6.0.8"
},
{
"status": "affected",
"version": "1.6.0.9"
},
{
"status": "affected",
"version": "1.6.0.10"
},
{
"status": "affected",
"version": "1.6.0.11"
},
{
"status": "affected",
"version": "1.6.0.12"
},
{
"status": "affected",
"version": "1.6.0.13"
},
{
"status": "affected",
"version": "1.6.0.14"
},
{
"status": "affected",
"version": "1.6.0.15"
},
{
"status": "affected",
"version": "1.6.0.16"
},
{
"status": "affected",
"version": "1.6.0.17"
},
{
"status": "affected",
"version": "1.6.0.18"
},
{
"status": "affected",
"version": "1.6.0.19"
},
{
"status": "affected",
"version": "1.6.0.20"
},
{
"status": "affected",
"version": "1.6.0.21"
},
{
"status": "affected",
"version": "1.6.0.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fklov (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-07T22:00:13.496Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369082 | Chengdu Everbrite Network Technology BeikeShop Stripe Plugin StripeController.php callback improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369082"
},
{
"name": "VDB-369082 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369082/cti"
},
{
"name": "CVE-2026-11462 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11462"
},
{
"name": "Submit #831466 | BeikeShop 1.6.0 Design/Logic Flaw",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/831466"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/nuiifornet/BeikeShop-Vulnerability/blob/main/README.md"
},
{
"tags": [
"patch"
],
"url": "https://github.com/beikeshop/beikeshop/commit/6719e0fc690ea0a998452092862e0f0a17c65968"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T09:37:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "Chengdu Everbrite Network Technology BeikeShop Stripe Plugin StripeController.php callback improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11462",
"datePublished": "2026-06-07T22:00:13.496Z",
"dateReserved": "2026-06-07T07:32:23.691Z",
"dateUpdated": "2026-06-08T12:15:15.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11441 (GCVE-0-2026-11441)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:45 – Updated: 2026-06-08 16:33| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369021 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369021/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11441 | third-party-advisory |
| https://vuldb.com/submit/822957 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11441",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T14:18:20.406637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:33:38.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"Pull Request Handler"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:45:10.650Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369021 | theonedev Pull Request issues canAccessIssue improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369021"
},
{
"name": "VDB-369021 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369021/cti"
},
{
"name": "CVE-2026-11441 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11441"
},
{
"name": "Submit #822957 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822957"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev Pull Request issues canAccessIssue improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11441",
"datePublished": "2026-06-06T17:45:10.650Z",
"dateReserved": "2026-06-05T22:21:08.343Z",
"dateUpdated": "2026-06-08T16:33:38.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11440 (GCVE-0-2026-11440)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:30 – Updated: 2026-06-08 16:30| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369020 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369020/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11440 | third-party-advisory |
| https://vuldb.com/submit/822956 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11440",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T16:30:36.858335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:30:48.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"REST API"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:30:11.510Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369020 | theonedev REST API default-branch improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369020"
},
{
"name": "VDB-369020 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369020/cti"
},
{
"name": "CVE-2026-11440 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11440"
},
{
"name": "Submit #822956 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822956"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev REST API default-branch improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11440",
"datePublished": "2026-06-06T17:30:11.510Z",
"dateReserved": "2026-06-05T22:21:05.442Z",
"dateUpdated": "2026-06-08T16:30:48.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11439 (GCVE-0-2026-11439)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:15 – Updated: 2026-06-08 15:34| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369019 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369019/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11439 | third-party-advisory |
| https://vuldb.com/submit/822955 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:34:09.209820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:34:19.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"Parent Project Handler"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:15:08.905Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369019 | theonedev Parent Project projects improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369019"
},
{
"name": "VDB-369019 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369019/cti"
},
{
"name": "CVE-2026-11439 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11439"
},
{
"name": "Submit #822955 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822955"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev Parent Project projects improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11439",
"datePublished": "2026-06-06T17:15:08.905Z",
"dateReserved": "2026-06-05T22:21:02.958Z",
"dateUpdated": "2026-06-08T15:34:19.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11438 (GCVE-0-2026-11438)
Vulnerability from cvelistv5 – Published: 2026-06-06 17:00 – Updated: 2026-06-08 15:34| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369018 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369018/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11438 | third-party-advisory |
| https://vuldb.com/submit/822944 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19994142 | related |
| https://github.com/theonedev/onedev/releases/tag/… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:34:41.417873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:34:51.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"product": "onedev",
"vendor": "theonedev",
"versions": [
{
"status": "affected",
"version": "15.0.0"
},
{
"status": "affected",
"version": "15.0.1"
},
{
"status": "affected",
"version": "15.0.2"
},
{
"status": "affected",
"version": "15.0.3"
},
{
"status": "affected",
"version": "15.0.4"
},
{
"status": "affected",
"version": "15.0.5"
},
{
"status": "unaffected",
"version": "15.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T17:00:14.794Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369018 | theonedev projects improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369018"
},
{
"name": "VDB-369018 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369018/cti"
},
{
"name": "CVE-2026-11438 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11438"
},
{
"name": "Submit #822944 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/822944"
},
{
"tags": [
"related"
],
"url": "https://www.cnblogs.com/aibot/p/19994142"
},
{
"tags": [
"patch"
],
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-06T00:26:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "theonedev projects improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11438",
"datePublished": "2026-06-06T17:00:14.794Z",
"dateReserved": "2026-06-05T22:21:00.483Z",
"dateUpdated": "2026-06-08T15:34:51.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11336 (GCVE-0-2026-11336)
Vulnerability from cvelistv5 – Published: 2026-06-05 15:00 – Updated: 2026-06-09 16:02| URL | Tags |
|---|---|
| https://vuldb.com/vuln/368874 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/368874/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11336 | third-party-advisory |
| https://vuldb.com/submit/832582 | third-party-advisory |
| https://github.com/tittuvarghese/CollegeManagemen… | exploitissue-tracking |
| https://github.com/tittuvarghese/CollegeManagemen… | product |
| Vendor | Product | Version | |
|---|---|---|---|
| tittuvarghese | CollegeManagementSystem |
Affected:
3e476335cfbfb9a049e09f474c7ec885f69a9df3
Affected: a38852979f7e27ae67b610dce5979500ef8ebe01 cpe:2.3:a:tittuvarghese:collegemanagementsystem:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11336",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T16:02:22.407484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:02:40.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/832582"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tittuvarghese:collegemanagementsystem:*:*:*:*:*:*:*:*"
],
"modules": [
"Admin Interface"
],
"product": "CollegeManagementSystem",
"vendor": "tittuvarghese",
"versions": [
{
"status": "affected",
"version": "3e476335cfbfb9a049e09f474c7ec885f69a9df3"
},
{
"status": "affected",
"version": "a38852979f7e27ae67b610dce5979500ef8ebe01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wea5e1 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T15:00:16.287Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-368874 | tittuvarghese CollegeManagementSystem Admin admin_page.php improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/368874"
},
{
"name": "VDB-368874 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/368874/cti"
},
{
"name": "CVE-2026-11336 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11336"
},
{
"name": "Submit #832582 | tittuvarghese CollegeManagementSystem 1.0 Privilege Escalation",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/832582"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/tittuvarghese/CollegeManagementSystem/issues/5"
},
{
"tags": [
"product"
],
"url": "https://github.com/tittuvarghese/CollegeManagementSystem/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-05T10:15:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "tittuvarghese CollegeManagementSystem Admin admin_page.php improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11336",
"datePublished": "2026-06-05T15:00:16.287Z",
"dateReserved": "2026-06-05T08:10:07.777Z",
"dateUpdated": "2026-06-09T16:02:40.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10876 (GCVE-0-2026-10876)
Vulnerability from cvelistv5 – Published: 2026-06-04 23:30 – Updated: 2026-06-08 15:53 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/368366 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/368366/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10876 | third-party-advisory |
| https://vuldb.com/submit/831870 | third-party-advisory |
| https://medium.com/@hemantrajbhati5555/missing-au… | broken-linkexploit |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Ship Ferry Ticket Reservation System |
Affected:
1.0
cpe:2.3:a:sourcecodester:ship_ferry_ticket_reservation_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10876",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:52:58.314177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:53:11.077Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:ship_ferry_ticket_reservation_system:*:*:*:*:*:*:*:*"
],
"product": "Ship Ferry Ticket Reservation System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hemant Raj Bhati (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:30:10.693Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-368366 | SourceCodester Ship Ferry Ticket Reservation System admin improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/368366"
},
{
"name": "VDB-368366 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/368366/cti"
},
{
"name": "CVE-2026-10876 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10876"
},
{
"name": "Submit #831870 | SourceCodester Ship/Ferry Ticket Reservation System 1.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/831870"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://medium.com/@hemantrajbhati5555/missing-authorization-in-sourcecodester-ship-ferry-ticket-reservation-system-leads-to-unauthorized-7783134d6596"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-04T17:42:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Ship Ferry Ticket Reservation System admin improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10876",
"datePublished": "2026-06-04T23:30:10.693Z",
"dateReserved": "2026-06-04T15:37:09.025Z",
"dateUpdated": "2026-06-08T15:53:11.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10693 (GCVE-0-2026-10693)
Vulnerability from cvelistv5 – Published: 2026-06-03 00:00 – Updated: 2026-06-03 14:07 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367962 | vdb-entry |
| https://vuldb.com/vuln/367962/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10693 | third-party-advisory |
| https://vuldb.com/submit/830894 | third-party-advisory |
| https://medium.com/@hemantrajbhati5555/broken-acc… | broken-linkexploit |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Online Boat Reservation System |
Affected:
1.0
cpe:2.3:a:sourcecodester:online_boat_reservation_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10693",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:17:37.731971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:07:35.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:online_boat_reservation_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Administrative Endpoint"
],
"product": "Online Boat Reservation System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hemant Raj Bhati (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T00:00:12.858Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367962 | SourceCodester Online Boat Reservation System Administrative Endpoint improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/367962"
},
{
"name": "VDB-367962 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367962/cti"
},
{
"name": "CVE-2026-10693 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10693"
},
{
"name": "Submit #830894 | SourceCodester Online Boat Reservation System 1.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/830894"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://medium.com/@hemantrajbhati5555/broken-access-control-in-sourcecodester-online-boat-reservation-system-1-0-4ed0380d2222"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-02T17:49:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Online Boat Reservation System Administrative Endpoint improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10693",
"datePublished": "2026-06-03T00:00:12.858Z",
"dateReserved": "2026-06-02T15:44:47.102Z",
"dateUpdated": "2026-06-03T14:07:35.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.