Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-266
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CVE-2026-14794 (GCVE-0-2026-14794)
Vulnerability from cvelistv5 – Published: 2026-07-06 03:45 – Updated: 2026-07-06 13:05 X_Freeware
VLAI
EPSS
VEX
Title
Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization
Summary
A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376388 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376388/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14794 | third-party-advisory |
| https://vuldb.com/submit/850793 | third-party-advisory |
| https://github.com/craftcms/cms/commit/9ee53efc13… | patch |
| https://github.com/craftcms/cms/releases/tag/4.18.1 | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14794",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T13:05:13.735519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T13:05:23.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:craft:cms:*:*:*:*:*:*:*:*"
],
"modules": [
"Charts Endpoint"
],
"product": "CMS",
"vendor": "Craft",
"versions": [
{
"status": "affected",
"version": "4.18.0.0"
},
{
"status": "affected",
"version": "4.18.0.1"
},
{
"status": "unaffected",
"version": "4.18.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "geochen (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T03:45:09.182Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376388 | Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376388"
},
{
"name": "VDB-376388 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376388/cti"
},
{
"name": "CVE-2026-14794 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14794"
},
{
"name": "Submit #850793 | Craftcms CMS 5.10.1 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/850793"
},
{
"tags": [
"patch"
],
"url": "https://github.com/craftcms/cms/commit/9ee53efc1314e6aba32771c66a13e072a246f4ce"
},
{
"tags": [
"patch"
],
"url": "https://github.com/craftcms/cms/releases/tag/4.18.1"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-05T20:34:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14794",
"datePublished": "2026-07-06T03:45:09.182Z",
"dateReserved": "2026-07-05T18:29:29.737Z",
"dateUpdated": "2026-07-06T13:05:23.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15188 (GCVE-0-2026-15188)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:15 – Updated: 2026-07-09 16:15
VLAI
EPSS
VEX
Title
manjurulhoque django-job-portal Employee Dashboard Endpoint views.py EditEmployeeProfileAPIView access control
Summary
A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file accounts/api/views.py of the component Employee Dashboard Endpoint. This manipulation of the argument role causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377114 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377114/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15188 | third-party-advisory |
| https://vuldb.com/submit/851436 | third-party-advisory |
| https://github.com/manjurulhoque/django-job-porta… | exploitissue-tracking |
| https://github.com/manjurulhoque/django-job-portal/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| manjurulhoque | django-job-portal |
Affected:
dfa352f305bba44445ac5dc12e9b2a98c9dcd71f
cpe:2.3:a:manjurulhoque:django-job-portal:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15188",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:14:54.647534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:15:01.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:manjurulhoque:django-job-portal:*:*:*:*:*:*:*:*"
],
"modules": [
"Employee Dashboard Endpoint"
],
"product": "django-job-portal",
"vendor": "manjurulhoque",
"versions": [
{
"status": "affected",
"version": "dfa352f305bba44445ac5dc12e9b2a98c9dcd71f"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AliceS614 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file accounts/api/views.py of the component Employee Dashboard Endpoint. This manipulation of the argument role causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:15:08.172Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377114 | manjurulhoque django-job-portal Employee Dashboard Endpoint views.py EditEmployeeProfileAPIView access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377114"
},
{
"name": "VDB-377114 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377114/cti"
},
{
"name": "CVE-2026-15188 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15188"
},
{
"name": "Submit #851436 | manjurulhoque/django-job-portal dfa352f305bba44445ac5dc12e9b2a98c9dcd71f Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/851436"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/manjurulhoque/django-job-portal/issues/91"
},
{
"tags": [
"product"
],
"url": "https://github.com/manjurulhoque/django-job-portal/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T07:23:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "manjurulhoque django-job-portal Employee Dashboard Endpoint views.py EditEmployeeProfileAPIView access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15188",
"datePublished": "2026-07-09T15:15:08.172Z",
"dateReserved": "2026-07-09T05:18:48.629Z",
"dateUpdated": "2026-07-09T16:15:01.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15270 (GCVE-0-2026-15270)
Vulnerability from cvelistv5 – Published: 2026-07-09 19:45 – Updated: 2026-07-10 20:32
VLAI
EPSS
VEX
Title
D-link DIR-823G Web boa.conf least privilege violation
Summary
A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privilege violation. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377213 | vdb-entry |
| https://vuldb.com/vuln/377213/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15270 | third-party-advisory |
| https://vuldb.com/submit/852314 | third-party-advisory |
| https://app.notion.com/p/DIR823G-V1-0-2B05_201812… | exploit |
| https://www.dlink.com/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15270",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T19:09:52.964919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:32:20.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:h:d-link:dir-823g:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Interface"
],
"product": "DIR-823G",
"vendor": "D-link",
"versions": [
{
"status": "affected",
"version": "1.0.2B05_20181207"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L-14 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privilege violation. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.1,
"vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T19:45:08.076Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377213 | D-link DIR-823G Web boa.conf least privilege violation",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377213"
},
{
"name": "VDB-377213 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377213/cti"
},
{
"name": "CVE-2026-15270 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15270"
},
{
"name": "Submit #852314 | D-link DIR823G DIR823G V1.0.2B05_20181207 Misconfiguration in DIR823G",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852314"
},
{
"tags": [
"exploit"
],
"url": "https://app.notion.com/p/DIR823G-V1-0-2B05_20181207-37a1f5ba989080f2a043c60d2cfc7499?source=copy_link"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T16:54:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-link DIR-823G Web boa.conf least privilege violation"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15270",
"datePublished": "2026-07-09T19:45:08.076Z",
"dateReserved": "2026-07-09T14:48:56.967Z",
"dateUpdated": "2026-07-10T20:32:20.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15271 (GCVE-0-2026-15271)
Vulnerability from cvelistv5 – Published: 2026-07-09 21:30 – Updated: 2026-07-10 13:37
VLAI
EPSS
VEX
Title
TOTOLINK EX200 Web boa.conf least privilege violation
Summary
A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege violation. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
12 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377214 | vdb-entry |
| https://vuldb.com/vuln/377214/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15271 | third-party-advisory |
| https://vuldb.com/submit/852316 | third-party-advisory |
| https://vuldb.com/submit/852317 | third-party-advisory |
| https://vuldb.com/submit/852318 | third-party-advisory |
| https://vuldb.com/submit/852319 | third-party-advisory |
| https://vuldb.com/submit/852320 | third-party-advisory |
| https://vuldb.com/submit/852321 | third-party-advisory |
| https://vuldb.com/submit/852323 | third-party-advisory |
| https://app.notion.com/p/A3000RU-V5-9c-5185-37a1f… | related |
| https://www.totolink.net/ | product |
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| TOTOLINK | A3000RU |
Affected:
20260906
cpe:2.3:a:totolink:a3000ru:*:*:*:*:*:*:*:* |
|
| TOTOLINK | A3100R |
Affected:
20260906
cpe:2.3:a:totolink:a3100r:*:*:*:*:*:*:*:* |
|
| TOTOLINK | A950RG |
Affected:
20260906
cpe:2.3:a:totolink:a950rg:*:*:*:*:*:*:*:* |
|
| TOTOLINK | AC1200T10 |
Affected:
20260906
cpe:2.3:a:totolink:ac1200t10:*:*:*:*:*:*:*:* |
|
| TOTOLINK | CP450 |
Affected:
20260906
cpe:2.3:a:totolink:cp450:*:*:*:*:*:*:*:* |
|
| TOTOLINK | CS185R_T10 |
Affected:
20260906
cpe:2.3:a:totolink:cs185r_t10:*:*:*:*:*:*:*:* |
|
| TOTOLINK | EX200 |
Affected:
20260906
cpe:2.3:a:totolink:ex200:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15271",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T13:37:19.484529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T13:37:52.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:totolink:a3000ru:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Interface"
],
"product": "A3000RU",
"vendor": "TOTOLINK",
"versions": [
{
"status": "affected",
"version": "20260906"
}
]
},
{
"cpes": [
"cpe:2.3:a:totolink:a3100r:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Interface"
],
"product": "A3100R",
"vendor": "TOTOLINK",
"versions": [
{
"status": "affected",
"version": "20260906"
}
]
},
{
"cpes": [
"cpe:2.3:a:totolink:a950rg:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Interface"
],
"product": "A950RG",
"vendor": "TOTOLINK",
"versions": [
{
"status": "affected",
"version": "20260906"
}
]
},
{
"cpes": [
"cpe:2.3:a:totolink:ac1200t10:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Interface"
],
"product": "AC1200T10",
"vendor": "TOTOLINK",
"versions": [
{
"status": "affected",
"version": "20260906"
}
]
},
{
"cpes": [
"cpe:2.3:a:totolink:cp450:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Interface"
],
"product": "CP450",
"vendor": "TOTOLINK",
"versions": [
{
"status": "affected",
"version": "20260906"
}
]
},
{
"cpes": [
"cpe:2.3:a:totolink:cs185r_t10:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Interface"
],
"product": "CS185R_T10",
"vendor": "TOTOLINK",
"versions": [
{
"status": "affected",
"version": "20260906"
}
]
},
{
"cpes": [
"cpe:2.3:a:totolink:ex200:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Interface"
],
"product": "EX200",
"vendor": "TOTOLINK",
"versions": [
{
"status": "affected",
"version": "20260906"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L-14 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege violation. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitation is known to be difficult."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.1,
"vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:30:10.629Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377214 | TOTOLINK EX200 Web boa.conf least privilege violation",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377214"
},
{
"name": "VDB-377214 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377214/cti"
},
{
"name": "CVE-2026-15271 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15271"
},
{
"name": "Submit #852316 | TOTOLink A3000RU A3000RU V5.9c.5185 Misconfiguration in A3000RU",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852316"
},
{
"name": "Submit #852317 | TOTOLink A3100R A3100R V4.1.2cu.5050 Misconfiguration in A3100R (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852317"
},
{
"name": "Submit #852318 | TOTOLink AC1200T10 V2 AC1200T10 V2 V4.1.8cu.5207 Misconfiguration in AC1200T10 V2 (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852318"
},
{
"name": "Submit #852319 | TOTOLink CP450 CP450 V4.1.0cu.747 Misconfiguration in CP450 (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852319"
},
{
"name": "Submit #852320 | TOTOLink CS185R_T10 CS185R_T10 V5.9c.1485 Misconfiguration in CS185R_T10 (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852320"
},
{
"name": "Submit #852321 | TOTOLink EX200 EX200 V4.0.3c.7646 Misconfiguration in EX200 (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852321"
},
{
"name": "Submit #852323 | TOTOLink A950RG A950RG V5.9c.4592 Misconfiguration in A950RG (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852323"
},
{
"tags": [
"related"
],
"url": "https://app.notion.com/p/A3000RU-V5-9c-5185-37a1f5ba989080d38bb6ca58b2a98c64?source=copy_link"
},
{
"tags": [
"product"
],
"url": "https://www.totolink.net/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T16:58:55.000Z",
"value": "VulDB entry last update"
}
],
"title": "TOTOLINK EX200 Web boa.conf least privilege violation"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15271",
"datePublished": "2026-07-09T21:30:10.629Z",
"dateReserved": "2026-07-09T14:50:16.412Z",
"dateUpdated": "2026-07-10T13:37:52.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15319 (GCVE-0-2026-15319)
Vulnerability from cvelistv5 – Published: 2026-07-10 01:45 – Updated: 2026-07-10 14:24
VLAI
EPSS
VEX
Title
Sipeed PicoClaw Launcher access_control.go IPAllowlist access control
Summary
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377259 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377259/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15319 | third-party-advisory |
| https://vuldb.com/submit/852884 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3069 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/pull/3126 | issue-trackingpatch |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15319",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:24:08.322070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:24:20.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"Launcher"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T01:45:08.961Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377259"
},
{
"name": "VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377259/cti"
},
{
"name": "CVE-2026-15319 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15319"
},
{
"name": "Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852884"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3069"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/sipeed/picoclaw/pull/3126"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:54.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw Launcher access_control.go IPAllowlist access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15319",
"datePublished": "2026-07-10T01:45:08.961Z",
"dateReserved": "2026-07-09T18:07:37.685Z",
"dateUpdated": "2026-07-10T14:24:20.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15373 (GCVE-0-2026-15373)
Vulnerability from cvelistv5 – Published: 2026-07-10 14:45 – Updated: 2026-07-10 18:26
VLAI
EPSS
VEX
Title
Eleveo Call Recording Software userAddAction.do improper authorization
Summary
A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of the argument role results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377440 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377440/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15373 | third-party-advisory |
| https://vuldb.com/submit/797457 | third-party-advisory |
| https://drive.google.com/file/d/1QqpeH0qWsSnSiMvP… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eleveo | Call Recording Software |
Affected:
9.7.0
cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15373",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T18:26:35.192794Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T18:26:51.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/797457"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
],
"product": "Call Recording Software",
"vendor": "Eleveo",
"versions": [
{
"status": "affected",
"version": "9.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "omarelshopky (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of the argument role results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:45:07.443Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377440 | Eleveo Call Recording Software userAddAction.do improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377440"
},
{
"name": "VDB-377440 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377440/cti"
},
{
"name": "CVE-2026-15373 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15373"
},
{
"name": "Submit #797457 | Eleveo Call Recording 9.7.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797457"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/1QqpeH0qWsSnSiMvPeRJvRSylwLGK3hsN/view?usp=sharing"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-10T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-10T10:52:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "Eleveo Call Recording Software userAddAction.do improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15373",
"datePublished": "2026-07-10T14:45:07.443Z",
"dateReserved": "2026-07-10T08:47:07.750Z",
"dateUpdated": "2026-07-10T18:26:51.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15374 (GCVE-0-2026-15374)
Vulnerability from cvelistv5 – Published: 2026-07-10 15:00 – Updated: 2026-07-10 15:47
VLAI
EPSS
VEX
Title
Eleveo Call Recording Software Group roleAddAction.do improper authorization
Summary
A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377441 | vdb-entry |
| https://vuldb.com/vuln/377441/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15374 | third-party-advisory |
| https://vuldb.com/submit/797458 | third-party-advisory |
| https://drive.google.com/file/d/1GtIZC_PrOJPfQAfj… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eleveo | Call Recording Software |
Affected:
9.7.0
cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15374",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T15:47:46.616812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T15:47:55.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
],
"modules": [
"Group Interface"
],
"product": "Call Recording Software",
"vendor": "Eleveo",
"versions": [
{
"status": "affected",
"version": "9.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "omarelshopky (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T15:00:09.778Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377441 | Eleveo Call Recording Software Group roleAddAction.do improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377441"
},
{
"name": "VDB-377441 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377441/cti"
},
{
"name": "CVE-2026-15374 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15374"
},
{
"name": "Submit #797458 | Eleveo Call Recording 9.7.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797458"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/1GtIZC_PrOJPfQAfjcBckEbf8uDzGjt9B/view?usp=sharing"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-10T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-10T10:52:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "Eleveo Call Recording Software Group roleAddAction.do improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15374",
"datePublished": "2026-07-10T15:00:09.778Z",
"dateReserved": "2026-07-10T08:47:10.996Z",
"dateUpdated": "2026-07-10T15:47:55.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15375 (GCVE-0-2026-15375)
Vulnerability from cvelistv5 – Published: 2026-07-10 15:15 – Updated: 2026-07-10 15:15
VLAI
EPSS
VEX
Title
Eleveo Call Recording Software LDAP User users_ldap.jsp improper authorization
Summary
A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/users_ldap.jsp of the component LDAP User Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377442 | vdb-entry |
| https://vuldb.com/vuln/377442/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15375 | third-party-advisory |
| https://vuldb.com/submit/797459 | third-party-advisory |
| https://drive.google.com/file/d/14q47WM7nqXuUJbN-… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eleveo | Call Recording Software |
Affected:
9.7.0
cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
],
"modules": [
"LDAP User Interface"
],
"product": "Call Recording Software",
"vendor": "Eleveo",
"versions": [
{
"status": "affected",
"version": "9.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "omarelshopky (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/users_ldap.jsp of the component LDAP User Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T15:15:07.109Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377442 | Eleveo Call Recording Software LDAP User users_ldap.jsp improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377442"
},
{
"name": "VDB-377442 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377442/cti"
},
{
"name": "CVE-2026-15375 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15375"
},
{
"name": "Submit #797459 | Eleveo Call Recording 9.7.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797459"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/14q47WM7nqXuUJbN-3xTXzCIbMUwD1kL8/view?usp=sharing"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-10T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-10T10:52:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "Eleveo Call Recording Software LDAP User users_ldap.jsp improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15375",
"datePublished": "2026-07-10T15:15:07.109Z",
"dateReserved": "2026-07-10T08:47:14.350Z",
"dateUpdated": "2026-07-10T15:15:07.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15376 (GCVE-0-2026-15376)
Vulnerability from cvelistv5 – Published: 2026-07-10 15:45 – Updated: 2026-07-10 20:30
VLAI
EPSS
VEX
Title
Eleveo Call Recording Software statisticReportAction.do improper authorization
Summary
A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377443 | vdb-entry |
| https://vuldb.com/vuln/377443/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15376 | third-party-advisory |
| https://vuldb.com/submit/797461 | third-party-advisory |
| https://drive.google.com/file/d/18l6-Lpvqq1B-urew… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eleveo | Call Recording Software |
Affected:
9.7.0
cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15376",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:26:38.380986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:30:48.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
],
"product": "Call Recording Software",
"vendor": "Eleveo",
"versions": [
{
"status": "affected",
"version": "9.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "omarelshopky (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T15:45:06.117Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377443 | Eleveo Call Recording Software statisticReportAction.do improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377443"
},
{
"name": "VDB-377443 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377443/cti"
},
{
"name": "CVE-2026-15376 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15376"
},
{
"name": "Submit #797461 | Eleveo Call Recording 9.7.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797461"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/18l6-Lpvqq1B-ureww1zR5d_nyhZl312q/view?usp=sharing"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-10T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-10T10:52:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "Eleveo Call Recording Software statisticReportAction.do improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15376",
"datePublished": "2026-07-10T15:45:06.117Z",
"dateReserved": "2026-07-10T08:47:17.326Z",
"dateUpdated": "2026-07-10T20:30:48.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15377 (GCVE-0-2026-15377)
Vulnerability from cvelistv5 – Published: 2026-07-10 16:15 – Updated: 2026-07-10 16:44
VLAI
EPSS
VEX
Title
Eleveo Call Recording Software sendlogfile improper authorization
Summary
A vulnerability was determined in Eleveo Call Recording Software 9.7.0. Affected by this vulnerability is an unknown functionality of the file /callrec/sendlogfile. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377444 | vdb-entry |
| https://vuldb.com/vuln/377444/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15377 | third-party-advisory |
| https://vuldb.com/submit/797462 | third-party-advisory |
| https://drive.google.com/file/d/1qnAoRYVrMeB4fhtL… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eleveo | Call Recording Software |
Affected:
9.7.0
cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15377",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T16:44:09.588892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T16:44:22.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
],
"product": "Call Recording Software",
"vendor": "Eleveo",
"versions": [
{
"status": "affected",
"version": "9.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "omarelshopky (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Eleveo Call Recording Software 9.7.0. Affected by this vulnerability is an unknown functionality of the file /callrec/sendlogfile. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T16:15:07.716Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377444 | Eleveo Call Recording Software sendlogfile improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377444"
},
{
"name": "VDB-377444 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377444/cti"
},
{
"name": "CVE-2026-15377 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15377"
},
{
"name": "Submit #797462 | Eleveo Call Recording 9.7.0 Broken Access Control",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797462"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/1qnAoRYVrMeB4fhtLV4XFZOVrzVM3UeHx/view?usp=sharing"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-10T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-10T10:52:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "Eleveo Call Recording Software sendlogfile improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15377",
"datePublished": "2026-07-10T16:15:07.716Z",
"dateReserved": "2026-07-10T08:47:20.246Z",
"dateUpdated": "2026-07-10T16:44:22.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-1
Phases: Architecture and Design, Operation
Description:
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.