<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-11T20:38:37.128835+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/13bd744d-4b9a-45c4-9052-3f139a972603/export</id>
    <title>13bd744d-4b9a-45c4-9052-3f139a972603</title>
    <updated>2026-07-11T20:38:37.149390+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "13bd744d-4b9a-45c4-9052-3f139a972603", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-53634", "type": "seen", "source": "https://gist.github.com/alon710/f5073530cad3dd719e641dcee2ba88b8", "content": "# CVE-2026-53634: CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller\n\n&amp;gt; **CVSS Score:** 4.3\n&amp;gt; **Published:** 2026-07-08\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-53634\n\n## Summary\nCode16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.\n\n## TL;DR\nAn authenticated but unauthorized user can bypass Laravel authorization checks to retrieve configuration forms and submit records via Code16 Sharp's Quick Creation Command feature.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Network (AV:N)\n- **CVSS Base Score**: 4.3 (Medium)\n- **EPSS Score**: 0.00213\n- **Impact**: Low Integrity Impact (Privilege Escalation)\n- **Exploit Status**: Proof of Concept and patch details available, no active exploitation in the wild\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Code16 Sharp\n- **Code16 Sharp**: &amp;gt;= 9.0.0, &amp;lt; 9.22.3 (Fixed in: `9.22.3`)\n\n## Mitigation\n\n- Upgrade Code16 Sharp package dependencies to version 9.22.3 or higher.\n- Review permission mapping policies for all models linked with Quick Creation Command features.\n\n**Remediation Steps:**\n1. Analyze the current installed version of the package in composer.json.\n2. Run 'composer update code16/sharp' inside your production deployment pipeline.\n3. Execute automated integration tests with simulated low-privilege sessions to confirm 403 response behaviors.\n\n## References\n\n- [NVD - CVE-2026-53634 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-53634)\n- [GitHub Security Advisory - GHSA-vmwx-m75v-qvch](https://github.com/code16/sharp/security/advisories/GHSA-vmwx-m75v-qvch)\n- [GitHub Pull Request 729](https://github.com/code16/sharp/pull/729)\n- [Fix Commit aa18a85fd8fef830988a336cad2278986729d21a](https://github.com/code16/sharp/commit/aa18a85fd8fef830988a336cad2278986729d21a)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-53634) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-08T22:12:23.393039Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/13bd744d-4b9a-45c4-9052-3f139a972603/export"/>
    <published>2026-07-08T22:12:23.393039+00:00</published>
  </entry>
</feed>
