CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
CVE-2026-10294 (GCVE-0-2026-10294)
Vulnerability from cvelistv5 – Published: 2026-06-01 21:30 – Updated: 2026-06-02 12:31| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367587 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367587/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10294 | third-party-advisory |
| https://vuldb.com/submit/826470 | third-party-advisory |
| https://github.com/PackageKit/PackageKit/issues/969 | exploitissue-tracking |
| https://github.com/PackageKit/PackageKit/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PackageKit |
Affected:
1.3.0
Affected: 1.3.1 Affected: 1.3.2 Affected: 1.3.3 Affected: 1.3.4 Affected: 1.3.5 cpe:2.3:a:packagekit:packagekit:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10294",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T12:30:53.226732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:31:04.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:packagekit:packagekit:*:*:*:*:*:*:*:*"
],
"modules": [
"API"
],
"product": "PackageKit",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.3.0"
},
{
"status": "affected",
"version": "1.3.1"
},
{
"status": "affected",
"version": "1.3.2"
},
{
"status": "affected",
"version": "1.3.3"
},
{
"status": "affected",
"version": "1.3.4"
},
{
"status": "affected",
"version": "1.3.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rosa Yu (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function g_file_test of the file src/pk-transaction.c of the component API. Such manipulation of the argument frontend-socket leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T21:30:08.461Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367587 | PackageKit API pk-transaction.c g_file_test improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367587"
},
{
"name": "VDB-367587 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367587/cti"
},
{
"name": "CVE-2026-10294 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10294"
},
{
"name": "Submit #826470 | PackageKit v1.3.5 Incorrect Use of Privileged APIs",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/826470"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/PackageKit/PackageKit/issues/969"
},
{
"tags": [
"product"
],
"url": "https://github.com/PackageKit/PackageKit/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T19:58:28.000Z",
"value": "VulDB entry last update"
}
],
"title": "PackageKit API pk-transaction.c g_file_test improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10294",
"datePublished": "2026-06-01T21:30:08.461Z",
"dateReserved": "2026-05-31T17:52:58.886Z",
"dateUpdated": "2026-06-02T12:31:04.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10285 (GCVE-0-2026-10285)
Vulnerability from cvelistv5 – Published: 2026-06-01 19:15 – Updated: 2026-06-02 12:22| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367578 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367578/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10285 | third-party-advisory |
| https://vuldb.com/submit/825475 | third-party-advisory |
| https://github.com/devaslanphp/project-management… | broken-linkissue-tracking |
| https://github.com/devaslanphp/project-management/ | broken-linkproduct |
| Vendor | Product | Version | |
|---|---|---|---|
| DevaslanPHP | project-management |
Affected:
2.0.0-beta1
cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10285",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T12:21:46.930341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:22:08.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:*"
],
"modules": [
"Ticket Handler"
],
"product": "project-management",
"vendor": "DevaslanPHP",
"versions": [
{
"status": "affected",
"version": "2.0.0-beta1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mitchell_45 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:15:26.718Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367578 | DevaslanPHP project-management Ticket KanbanScrumHelper.php recordUpdated improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367578"
},
{
"name": "VDB-367578 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367578/cti"
},
{
"name": "CVE-2026-10285 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10285"
},
{
"name": "Submit #825475 | devaslanphp project-management \u003c 2.0.0-beta1 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825475"
},
{
"tags": [
"broken-link",
"issue-tracking"
],
"url": "https://github.com/devaslanphp/project-management/issues/141"
},
{
"tags": [
"broken-link",
"product"
],
"url": "https://github.com/devaslanphp/project-management/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:35:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "DevaslanPHP project-management Ticket KanbanScrumHelper.php recordUpdated improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10285",
"datePublished": "2026-06-01T19:15:26.718Z",
"dateReserved": "2026-05-31T16:30:13.123Z",
"dateUpdated": "2026-06-02T12:22:08.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10284 (GCVE-0-2026-10284)
Vulnerability from cvelistv5 – Published: 2026-06-01 19:00 – Updated: 2026-06-03 16:04| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367577 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367577/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10284 | third-party-advisory |
| https://vuldb.com/submit/825473 | third-party-advisory |
| https://github.com/devaslanphp/project-management… | issue-tracking |
| https://github.com/devaslanphp/project-management/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| DevaslanPHP | project-management |
Affected:
2.0.0-beta1
cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10284",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T16:04:38.299070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T16:04:54.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:*"
],
"modules": [
"Livewire Handler"
],
"product": "project-management",
"vendor": "DevaslanPHP",
"versions": [
{
"status": "affected",
"version": "2.0.0-beta1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mitchell45 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:00:09.664Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367577 | DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367577"
},
{
"name": "VDB-367577 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367577/cti"
},
{
"name": "CVE-2026-10284 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10284"
},
{
"name": "Submit #825473 | devaslanphp project-management \u003c 2.0.0-beta1 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825473"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/devaslanphp/project-management/issues/140"
},
{
"tags": [
"product"
],
"url": "https://github.com/devaslanphp/project-management/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:35:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10284",
"datePublished": "2026-06-01T19:00:09.664Z",
"dateReserved": "2026-05-31T16:30:10.696Z",
"dateUpdated": "2026-06-03T16:04:54.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10282 (GCVE-0-2026-10282)
Vulnerability from cvelistv5 – Published: 2026-06-01 18:30 – Updated: 2026-06-01 19:36| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367575 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367575/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10282 | third-party-advisory |
| https://vuldb.com/submit/825439 | third-party-advisory |
| https://vuldb.com/submit/825440 | third-party-advisory |
| https://github.com/Bottelet/DaybydayCRM/issues/347 | issue-tracking |
| https://github.com/Bottelet/DaybydayCRM/pull/362 | issue-trackingpatch |
| https://github.com/Bottelet/DaybydayCRM/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| Bottelet | DaybydayCRM |
Affected:
2.2.0
Affected: 2.2.1 cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10282",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:35:56.101906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:36:10.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:*"
],
"product": "DaybydayCRM",
"vendor": "Bottelet",
"versions": [
{
"status": "affected",
"version": "2.2.0"
},
{
"status": "affected",
"version": "2.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mitchell45 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:30:13.342Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367575 | Bottelet DaybydayCRM DocumentsController.php view improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367575"
},
{
"name": "VDB-367575 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367575/cti"
},
{
"name": "CVE-2026-10282 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10282"
},
{
"name": "Submit #825439 | Bottelet DaybydayCRM \u003c= 2.2.1 Insecure Direct Object Reference (IDOR) / Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825439"
},
{
"name": "Submit #825440 | Bottelet DaybydayCRM \u003c= 2.2.1 Improper Authorization (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825440"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Bottelet/DaybydayCRM/issues/347"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/Bottelet/DaybydayCRM/pull/362"
},
{
"tags": [
"product"
],
"url": "https://github.com/Bottelet/DaybydayCRM/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:31:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "Bottelet DaybydayCRM DocumentsController.php view improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10282",
"datePublished": "2026-06-01T18:30:13.342Z",
"dateReserved": "2026-05-31T16:25:56.939Z",
"dateUpdated": "2026-06-01T19:36:10.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10277 (GCVE-0-2026-10277)
Vulnerability from cvelistv5 – Published: 2026-06-01 17:15 – Updated: 2026-06-01 19:34 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367570 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367570/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10277 | third-party-advisory |
| https://vuldb.com/submit/825416 | third-party-advisory |
| https://github.com/j3k0/mcp-google-workspace/issues/19 | exploitissue-tracking |
| https://github.com/j3k0/mcp-google-workspace/pull/22 | issue-trackingpatch |
| https://github.com/j3k0/mcp-google-workspace/comm… | patch |
| https://github.com/j3k0/mcp-google-workspace/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| j3k0 | mcp-google-workspace |
Affected:
831790e7d5c2663325733d9f5579cc339a267c4c
cpe:2.3:a:j3k0:mcp-google-workspace:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10277",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:34:18.811378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:34:35.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:j3k0:mcp-google-workspace:*:*:*:*:*:*:*:*"
],
"modules": [
"MCP Gmail Tool"
],
"product": "mcp-google-workspace",
"vendor": "j3k0",
"versions": [
{
"status": "affected",
"version": "831790e7d5c2663325733d9f5579cc339a267c4c"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ccccccctfi (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 89c091ecf8b9f9c7291d1af0b1966e271f86551c. It is suggested to install a patch to address this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:15:10.146Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367570 | j3k0 mcp-google-workspace MCP Gmail Tool gmail.ts saveToDisk access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367570"
},
{
"name": "VDB-367570 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367570/cti"
},
{
"name": "CVE-2026-10277 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10277"
},
{
"name": "Submit #825416 | j3k0 mcp-google-workspace 1.0.0 Arbitrary File Write",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825416"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/j3k0/mcp-google-workspace/issues/19"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/j3k0/mcp-google-workspace/pull/22"
},
{
"tags": [
"patch"
],
"url": "https://github.com/j3k0/mcp-google-workspace/commit/89c091ecf8b9f9c7291d1af0b1966e271f86551c"
},
{
"tags": [
"product"
],
"url": "https://github.com/j3k0/mcp-google-workspace/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T18:11:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "j3k0 mcp-google-workspace MCP Gmail Tool gmail.ts saveToDisk access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10277",
"datePublished": "2026-06-01T17:15:10.146Z",
"dateReserved": "2026-05-31T16:06:06.795Z",
"dateUpdated": "2026-06-01T19:34:35.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10272 (GCVE-0-2026-10272)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:00 – Updated: 2026-06-01 17:47| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367551 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367551/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10272 | third-party-advisory |
| https://vuldb.com/submit/825241 | third-party-advisory |
| https://github.com/a4m4/Student-Management-System… | exploitissue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| a4m4 | Student-Management-System |
Affected:
f0c5f6842c5e8c431ff02b5260a565ca844df3a0
cpe:2.3:a:a4m4:student-management-system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10272",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T17:46:52.999822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:47:00.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:a4m4:student-management-system:*:*:*:*:*:*:*:*"
],
"product": "Student-Management-System",
"vendor": "a4m4",
"versions": [
{
"status": "affected",
"version": "f0c5f6842c5e8c431ff02b5260a565ca844df3a0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "oxygen (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.4,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:00:09.387Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367551 | a4m4 Student-Management-System deleteform.php improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367551"
},
{
"name": "VDB-367551 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367551/cti"
},
{
"name": "CVE-2026-10272 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10272"
},
{
"name": "Submit #825241 | a4m4 Student-Management-System--PHP- 1.0 Unauthenticated Access",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825241"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/a4m4/Student-Management-System--PHP-/issues/3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T16:21:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "a4m4 Student-Management-System deleteform.php improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10272",
"datePublished": "2026-06-01T16:00:09.387Z",
"dateReserved": "2026-05-31T14:16:11.213Z",
"dateUpdated": "2026-06-01T17:47:00.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10269 (GCVE-0-2026-10269)
Vulnerability from cvelistv5 – Published: 2026-06-01 15:15 – Updated: 2026-06-01 19:26 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367548 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367548/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10269 | third-party-advisory |
| https://vuldb.com/submit/825188 | third-party-advisory |
| https://github.com/decolua/9router/issues/742 | issue-tracking |
| https://github.com/decolua/9router/commit/428e2c0… | patch |
| https://github.com/decolua/9router/releases/tag/v0.4.1 | patch |
| https://github.com/decolua/9router/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:26:23.888695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:26:34.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:h:decolua:9router:*:*:*:*:*:*:*:*"
],
"modules": [
"HTTP Header Handler"
],
"product": "9router",
"vendor": "decolua",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2"
},
{
"status": "affected",
"version": "0.3"
},
{
"status": "affected",
"version": "0.4.0"
},
{
"status": "unaffected",
"version": "0.4.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "brad (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T15:15:09.660Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367548 | decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367548"
},
{
"name": "VDB-367548 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367548/cti"
},
{
"name": "CVE-2026-10269 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10269"
},
{
"name": "Submit #825188 | decolua 9router \u003e= 0.2.72, \u003c 0.4.1 Origin Validation Error",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/825188"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/decolua/9router/issues/742"
},
{
"tags": [
"patch"
],
"url": "https://github.com/decolua/9router/commit/428e2c045cb9c0eb8080e8b580471a9c2eaa95ca"
},
{
"tags": [
"patch"
],
"url": "https://github.com/decolua/9router/releases/tag/v0.4.1"
},
{
"tags": [
"product"
],
"url": "https://github.com/decolua/9router/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T16:16:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10269",
"datePublished": "2026-06-01T15:15:09.660Z",
"dateReserved": "2026-05-31T14:09:33.434Z",
"dateUpdated": "2026-06-01T19:26:34.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10255 (GCVE-0-2026-10255)
Vulnerability from cvelistv5 – Published: 2026-06-01 12:00 – Updated: 2026-06-01 14:58 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367533 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367533/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10255 | third-party-advisory |
| https://vuldb.com/submit/824148 | third-party-advisory |
| https://github.com/timeflies123/cve/issues/7 | exploitissue-tracking |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Pharmacy Sales and Inventory System |
Affected:
1.0
cpe:2.3:a:sourcecodester:pharmacy_sales_and_inventory_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10255",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T14:56:39.947916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T14:58:07.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:pharmacy_sales_and_inventory_system:*:*:*:*:*:*:*:*"
],
"product": "Pharmacy Sales and Inventory System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "timeflies (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function sell_statement of the file application/controllers/ShowForm.php. Such manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T12:00:07.625Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367533 | SourceCodester Pharmacy Sales and Inventory System ShowForm.php sell_statement access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367533"
},
{
"name": "VDB-367533 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367533/cti"
},
{
"name": "CVE-2026-10255 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10255"
},
{
"name": "Submit #824148 | SourceCodester Pharmacy Sales and Inventory System 1.0 Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/824148"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/timeflies123/cve/issues/7"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T14:37:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Pharmacy Sales and Inventory System ShowForm.php sell_statement access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10255",
"datePublished": "2026-06-01T12:00:07.625Z",
"dateReserved": "2026-05-31T12:32:01.559Z",
"dateUpdated": "2026-06-01T14:58:07.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10236 (GCVE-0-2026-10236)
Vulnerability from cvelistv5 – Published: 2026-06-01 07:30 – Updated: 2026-06-01 15:23 X_Freeware| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367515 | vdb-entry |
| https://vuldb.com/vuln/367515/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10236 | third-party-advisory |
| https://vuldb.com/submit/823134 | third-party-advisory |
| https://github.com/renzortega1337/Security-Resear… | broken-linkexploit |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Water Billing Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:water_billing_management_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T15:04:00.299971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T15:23:25.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:water_billing_management_system:*:*:*:*:*:*:*:*"
],
"modules": [
"User Management Endpoint"
],
"product": "Water Billing Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "renzortega1337 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T07:30:10.116Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367515 | SourceCodester Water Billing Management System User Management Endpoint Users.php save improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/367515"
},
{
"name": "VDB-367515 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367515/cti"
},
{
"name": "CVE-2026-10236 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10236"
},
{
"name": "Submit #823134 | SourceCodester Water Billing Management System in PHP/OOP Free Source Code 1.0 Authorization Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/823134"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://github.com/renzortega1337/Security-Research-/blob/main/Unauthenticated%20Admin%20Creation%20in%20PHP%20System.md"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T10:29:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Water Billing Management System User Management Endpoint Users.php save improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10236",
"datePublished": "2026-06-01T07:30:10.116Z",
"dateReserved": "2026-05-31T08:23:59.618Z",
"dateUpdated": "2026-06-01T15:23:25.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10218 (GCVE-0-2026-10218)
Vulnerability from cvelistv5 – Published: 2026-06-01 03:00 – Updated: 2026-06-01 15:23| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367497 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367497/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10218 | third-party-advisory |
| https://vuldb.com/submit/821938 | third-party-advisory |
| https://github.com/nextlevelbuilder/goclaw/issues/1120 | exploitissue-tracking |
| https://github.com/nextlevelbuilder/goclaw/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| nextlevelbuilder | GoClaw |
Affected:
3.11.0
Affected: 3.11.1 Affected: 3.11.2 Affected: 3.11.3 cpe:2.3:a:nextlevelbuilder:goclaw:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10218",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T15:14:55.309056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T15:23:44.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:nextlevelbuilder:goclaw:*:*:*:*:*:*:*:*"
],
"product": "GoClaw",
"vendor": "nextlevelbuilder",
"versions": [
{
"status": "affected",
"version": "3.11.0"
},
{
"status": "affected",
"version": "3.11.1"
},
{
"status": "affected",
"version": "3.11.2"
},
{
"status": "affected",
"version": "3.11.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-b (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project tagged the reported issue as bug."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T03:00:12.820Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367497 | nextlevelbuilder GoClaw evolution_handlers.go auth improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367497"
},
{
"name": "VDB-367497 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367497/cti"
},
{
"name": "CVE-2026-10218 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10218"
},
{
"name": "Submit #821938 | nextlevelbuilder goclaw \u003c= v3.11.3 Improper Authorization (CWE-285)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/821938"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/nextlevelbuilder/goclaw/issues/1120"
},
{
"tags": [
"product"
],
"url": "https://github.com/nextlevelbuilder/goclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T09:46:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "nextlevelbuilder GoClaw evolution_handlers.go auth improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10218",
"datePublished": "2026-06-01T03:00:12.820Z",
"dateReserved": "2026-05-31T07:41:01.502Z",
"dateUpdated": "2026-06-01T15:23:44.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.