Common Weakness Enumeration

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CVE-2026-14794 (GCVE-0-2026-14794)

Vulnerability from cvelistv5 – Published: 2026-07-06 03:45 – Updated: 2026-07-06 13:05 X_Freeware
VLAI
Title
Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization
Summary
A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Craft CMS Affected: 4.18.0.0
Affected: 4.18.0.1
Unaffected: 4.18.1
    cpe:2.3:a:craft:cms:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
geochen (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-14794",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T13:05:13.735519Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T13:05:23.079Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:craft:cms:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Charts Endpoint"
          ],
          "product": "CMS",
          "vendor": "Craft",
          "versions": [
            {
              "status": "affected",
              "version": "4.18.0.0"
            },
            {
              "status": "affected",
              "version": "4.18.0.1"
            },
            {
              "status": "unaffected",
              "version": "4.18.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "geochen (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-06T03:45:09.182Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-376388 | Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/376388"
        },
        {
          "name": "VDB-376388 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/376388/cti"
        },
        {
          "name": "CVE-2026-14794 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-14794"
        },
        {
          "name": "Submit #850793 | Craftcms CMS 5.10.1 Improper Access Controls",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/850793"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/craftcms/cms/commit/9ee53efc1314e6aba32771c66a13e072a246f4ce"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/craftcms/cms/releases/tag/4.18.1"
        }
      ],
      "tags": [
        "x_freeware"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-05T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-05T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-05T20:34:33.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-14794",
    "datePublished": "2026-07-06T03:45:09.182Z",
    "dateReserved": "2026-07-05T18:29:29.737Z",
    "dateUpdated": "2026-07-06T13:05:23.079Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15188 (GCVE-0-2026-15188)

Vulnerability from cvelistv5 – Published: 2026-07-09 15:15 – Updated: 2026-07-09 16:15
VLAI
Title
manjurulhoque django-job-portal Employee Dashboard Endpoint views.py EditEmployeeProfileAPIView access control
Summary
A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file accounts/api/views.py of the component Employee Dashboard Endpoint. This manipulation of the argument role causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
manjurulhoque django-job-portal Affected: dfa352f305bba44445ac5dc12e9b2a98c9dcd71f
    cpe:2.3:a:manjurulhoque:django-job-portal:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
AliceS614 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15188",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T16:14:54.647534Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T16:15:01.284Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:manjurulhoque:django-job-portal:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Employee Dashboard Endpoint"
          ],
          "product": "django-job-portal",
          "vendor": "manjurulhoque",
          "versions": [
            {
              "status": "affected",
              "version": "dfa352f305bba44445ac5dc12e9b2a98c9dcd71f"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "AliceS614 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file accounts/api/views.py of the component Employee Dashboard Endpoint. This manipulation of the argument role causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T15:15:08.172Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377114 | manjurulhoque django-job-portal Employee Dashboard Endpoint views.py EditEmployeeProfileAPIView access control",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377114"
        },
        {
          "name": "VDB-377114 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377114/cti"
        },
        {
          "name": "CVE-2026-15188 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15188"
        },
        {
          "name": "Submit #851436 | manjurulhoque/django-job-portal dfa352f305bba44445ac5dc12e9b2a98c9dcd71f Improper Access Controls",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/851436"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/manjurulhoque/django-job-portal/issues/91"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/manjurulhoque/django-job-portal/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-09T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-09T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-09T07:23:57.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "manjurulhoque django-job-portal Employee Dashboard Endpoint views.py EditEmployeeProfileAPIView access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15188",
    "datePublished": "2026-07-09T15:15:08.172Z",
    "dateReserved": "2026-07-09T05:18:48.629Z",
    "dateUpdated": "2026-07-09T16:15:01.284Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15270 (GCVE-0-2026-15270)

Vulnerability from cvelistv5 – Published: 2026-07-09 19:45 – Updated: 2026-07-10 20:32
VLAI
Title
D-link DIR-823G Web boa.conf least privilege violation
Summary
A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privilege violation. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-272 - Least Privilege Violation
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
D-link DIR-823G Affected: 1.0.2B05_20181207
    cpe:2.3:h:d-link:dir-823g:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
L-14 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15270",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T19:09:52.964919Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T20:32:20.066Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:h:d-link:dir-823g:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Interface"
          ],
          "product": "DIR-823G",
          "vendor": "D-link",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.2B05_20181207"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "L-14 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privilege violation. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.1,
            "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-272",
              "description": "Least Privilege Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T19:45:08.076Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377213 | D-link DIR-823G Web boa.conf least privilege violation",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377213"
        },
        {
          "name": "VDB-377213 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377213/cti"
        },
        {
          "name": "CVE-2026-15270 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15270"
        },
        {
          "name": "Submit #852314 | D-link DIR823G DIR823G V1.0.2B05_20181207 Misconfiguration in DIR823G",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852314"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://app.notion.com/p/DIR823G-V1-0-2B05_20181207-37a1f5ba989080f2a043c60d2cfc7499?source=copy_link"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.dlink.com/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-09T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-09T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-09T16:54:00.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "D-link DIR-823G Web boa.conf least privilege violation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15270",
    "datePublished": "2026-07-09T19:45:08.076Z",
    "dateReserved": "2026-07-09T14:48:56.967Z",
    "dateUpdated": "2026-07-10T20:32:20.066Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15271 (GCVE-0-2026-15271)

Vulnerability from cvelistv5 – Published: 2026-07-09 21:30 – Updated: 2026-07-10 13:37
VLAI
Title
TOTOLINK EX200 Web boa.conf least privilege violation
Summary
A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege violation. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-272 - Least Privilege Violation
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
TOTOLINK A3000RU Affected: 20260906
    cpe:2.3:a:totolink:a3000ru:*:*:*:*:*:*:*:*
Create a notification for this product.
TOTOLINK A3100R Affected: 20260906
    cpe:2.3:a:totolink:a3100r:*:*:*:*:*:*:*:*
Create a notification for this product.
TOTOLINK A950RG Affected: 20260906
    cpe:2.3:a:totolink:a950rg:*:*:*:*:*:*:*:*
Create a notification for this product.
TOTOLINK AC1200T10 Affected: 20260906
    cpe:2.3:a:totolink:ac1200t10:*:*:*:*:*:*:*:*
Create a notification for this product.
TOTOLINK CP450 Affected: 20260906
    cpe:2.3:a:totolink:cp450:*:*:*:*:*:*:*:*
Create a notification for this product.
TOTOLINK CS185R_T10 Affected: 20260906
    cpe:2.3:a:totolink:cs185r_t10:*:*:*:*:*:*:*:*
Create a notification for this product.
TOTOLINK EX200 Affected: 20260906
    cpe:2.3:a:totolink:ex200:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
L-14 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15271",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T13:37:19.484529Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T13:37:52.501Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:totolink:a3000ru:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Interface"
          ],
          "product": "A3000RU",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "20260906"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:totolink:a3100r:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Interface"
          ],
          "product": "A3100R",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "20260906"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:totolink:a950rg:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Interface"
          ],
          "product": "A950RG",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "20260906"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:totolink:ac1200t10:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Interface"
          ],
          "product": "AC1200T10",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "20260906"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:totolink:cp450:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Interface"
          ],
          "product": "CP450",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "20260906"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:totolink:cs185r_t10:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Interface"
          ],
          "product": "CS185R_T10",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "20260906"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:totolink:ex200:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Interface"
          ],
          "product": "EX200",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "20260906"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "L-14 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege violation. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitation is known to be difficult."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.1,
            "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-272",
              "description": "Least Privilege Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T21:30:10.629Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377214 | TOTOLINK EX200 Web boa.conf least privilege violation",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377214"
        },
        {
          "name": "VDB-377214 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377214/cti"
        },
        {
          "name": "CVE-2026-15271 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15271"
        },
        {
          "name": "Submit #852316 | TOTOLink A3000RU A3000RU V5.9c.5185 Misconfiguration in A3000RU",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852316"
        },
        {
          "name": "Submit #852317 | TOTOLink A3100R A3100R V4.1.2cu.5050 Misconfiguration in A3100R (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852317"
        },
        {
          "name": "Submit #852318 | TOTOLink AC1200T10 V2 AC1200T10 V2 V4.1.8cu.5207 Misconfiguration in AC1200T10 V2 (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852318"
        },
        {
          "name": "Submit #852319 | TOTOLink CP450 CP450 V4.1.0cu.747 Misconfiguration in CP450 (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852319"
        },
        {
          "name": "Submit #852320 | TOTOLink CS185R_T10 CS185R_T10 V5.9c.1485 Misconfiguration in CS185R_T10 (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852320"
        },
        {
          "name": "Submit #852321 | TOTOLink EX200 EX200 V4.0.3c.7646 Misconfiguration in EX200 (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852321"
        },
        {
          "name": "Submit #852323 | TOTOLink A950RG A950RG V5.9c.4592 Misconfiguration in A950RG (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852323"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://app.notion.com/p/A3000RU-V5-9c-5185-37a1f5ba989080d38bb6ca58b2a98c64?source=copy_link"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.totolink.net/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-09T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-09T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-09T16:58:55.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "TOTOLINK EX200 Web boa.conf least privilege violation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15271",
    "datePublished": "2026-07-09T21:30:10.629Z",
    "dateReserved": "2026-07-09T14:50:16.412Z",
    "dateUpdated": "2026-07-10T13:37:52.501Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15319 (GCVE-0-2026-15319)

Vulnerability from cvelistv5 – Published: 2026-07-10 01:45 – Updated: 2026-07-10 14:24
VLAI
Title
Sipeed PicoClaw Launcher access_control.go IPAllowlist access control
Summary
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Controls
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/vuln/377259 vdb-entrytechnical-description
https://vuldb.com/vuln/377259/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15319 third-party-advisory
https://vuldb.com/submit/852884 third-party-advisory
https://github.com/sipeed/picoclaw/issues/3069 exploitissue-tracking
https://github.com/sipeed/picoclaw/pull/3126 issue-trackingpatch
https://github.com/sipeed/picoclaw/ product
Impacted products
Vendor Product Version
Sipeed PicoClaw Affected: 0.2.0
Affected: 0.2.1
Affected: 0.2.2
Affected: 0.2.3
Affected: 0.2.4
Affected: 0.2.5
Affected: 0.2.6
Affected: 0.2.7
Affected: 0.2.8
Affected: 0.2.9
    cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Eric-d (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15319",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T14:24:08.322070Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T14:24:20.728Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Launcher"
          ],
          "product": "PicoClaw",
          "vendor": "Sipeed",
          "versions": [
            {
              "status": "affected",
              "version": "0.2.0"
            },
            {
              "status": "affected",
              "version": "0.2.1"
            },
            {
              "status": "affected",
              "version": "0.2.2"
            },
            {
              "status": "affected",
              "version": "0.2.3"
            },
            {
              "status": "affected",
              "version": "0.2.4"
            },
            {
              "status": "affected",
              "version": "0.2.5"
            },
            {
              "status": "affected",
              "version": "0.2.6"
            },
            {
              "status": "affected",
              "version": "0.2.7"
            },
            {
              "status": "affected",
              "version": "0.2.8"
            },
            {
              "status": "affected",
              "version": "0.2.9"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eric-d (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T01:45:08.961Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377259"
        },
        {
          "name": "VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377259/cti"
        },
        {
          "name": "CVE-2026-15319 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15319"
        },
        {
          "name": "Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/852884"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/sipeed/picoclaw/issues/3069"
        },
        {
          "tags": [
            "issue-tracking",
            "patch"
          ],
          "url": "https://github.com/sipeed/picoclaw/pull/3126"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/sipeed/picoclaw/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-09T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-09T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-09T20:12:54.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Sipeed PicoClaw Launcher access_control.go IPAllowlist access control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15319",
    "datePublished": "2026-07-10T01:45:08.961Z",
    "dateReserved": "2026-07-09T18:07:37.685Z",
    "dateUpdated": "2026-07-10T14:24:20.728Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15373 (GCVE-0-2026-15373)

Vulnerability from cvelistv5 – Published: 2026-07-10 14:45 – Updated: 2026-07-10 18:26
VLAI
Title
Eleveo Call Recording Software userAddAction.do improper authorization
Summary
A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of the argument role results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
URL Tags
https://vuldb.com/vuln/377440 vdb-entrytechnical-description
https://vuldb.com/vuln/377440/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15373 third-party-advisory
https://vuldb.com/submit/797457 third-party-advisory
https://drive.google.com/file/d/1QqpeH0qWsSnSiMvP… exploit
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15373",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T18:26:35.192794Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T18:26:51.420Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://vuldb.com/submit/797457"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of the argument role results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T14:45:07.443Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377440 | Eleveo Call Recording Software userAddAction.do improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377440"
        },
        {
          "name": "VDB-377440 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377440/cti"
        },
        {
          "name": "CVE-2026-15373 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15373"
        },
        {
          "name": "Submit #797457 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797457"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://drive.google.com/file/d/1QqpeH0qWsSnSiMvPeRJvRSylwLGK3hsN/view?usp=sharing"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-10T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-10T10:52:27.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software userAddAction.do improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15373",
    "datePublished": "2026-07-10T14:45:07.443Z",
    "dateReserved": "2026-07-10T08:47:07.750Z",
    "dateUpdated": "2026-07-10T18:26:51.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15374 (GCVE-0-2026-15374)

Vulnerability from cvelistv5 – Published: 2026-07-10 15:00 – Updated: 2026-07-10 15:47
VLAI
Title
Eleveo Call Recording Software Group roleAddAction.do improper authorization
Summary
A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15374",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T15:47:46.616812Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T15:47:55.442Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Group Interface"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T15:00:09.778Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377441 | Eleveo Call Recording Software Group roleAddAction.do improper authorization",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377441"
        },
        {
          "name": "VDB-377441 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377441/cti"
        },
        {
          "name": "CVE-2026-15374 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15374"
        },
        {
          "name": "Submit #797458 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797458"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://drive.google.com/file/d/1GtIZC_PrOJPfQAfjcBckEbf8uDzGjt9B/view?usp=sharing"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-10T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-10T10:52:29.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software Group roleAddAction.do improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15374",
    "datePublished": "2026-07-10T15:00:09.778Z",
    "dateReserved": "2026-07-10T08:47:10.996Z",
    "dateUpdated": "2026-07-10T15:47:55.442Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15375 (GCVE-0-2026-15375)

Vulnerability from cvelistv5 – Published: 2026-07-10 15:15 – Updated: 2026-07-10 15:15
VLAI
Title
Eleveo Call Recording Software LDAP User users_ldap.jsp improper authorization
Summary
A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/users_ldap.jsp of the component LDAP User Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "LDAP User Interface"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/users_ldap.jsp of the component LDAP User Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T15:15:07.109Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377442 | Eleveo Call Recording Software LDAP User users_ldap.jsp improper authorization",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377442"
        },
        {
          "name": "VDB-377442 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377442/cti"
        },
        {
          "name": "CVE-2026-15375 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15375"
        },
        {
          "name": "Submit #797459 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797459"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://drive.google.com/file/d/14q47WM7nqXuUJbN-3xTXzCIbMUwD1kL8/view?usp=sharing"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-10T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-10T10:52:32.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software LDAP User users_ldap.jsp improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15375",
    "datePublished": "2026-07-10T15:15:07.109Z",
    "dateReserved": "2026-07-10T08:47:14.350Z",
    "dateUpdated": "2026-07-10T15:15:07.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15376 (GCVE-0-2026-15376)

Vulnerability from cvelistv5 – Published: 2026-07-10 15:45 – Updated: 2026-07-10 20:30
VLAI
Title
Eleveo Call Recording Software statisticReportAction.do improper authorization
Summary
A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15376",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T20:26:38.380986Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T20:30:48.070Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T15:45:06.117Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377443 | Eleveo Call Recording Software statisticReportAction.do improper authorization",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377443"
        },
        {
          "name": "VDB-377443 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377443/cti"
        },
        {
          "name": "CVE-2026-15376 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15376"
        },
        {
          "name": "Submit #797461 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797461"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://drive.google.com/file/d/18l6-Lpvqq1B-ureww1zR5d_nyhZl312q/view?usp=sharing"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-10T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-10T10:52:35.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software statisticReportAction.do improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15376",
    "datePublished": "2026-07-10T15:45:06.117Z",
    "dateReserved": "2026-07-10T08:47:17.326Z",
    "dateUpdated": "2026-07-10T20:30:48.070Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15377 (GCVE-0-2026-15377)

Vulnerability from cvelistv5 – Published: 2026-07-10 16:15 – Updated: 2026-07-10 16:44
VLAI
Title
Eleveo Call Recording Software sendlogfile improper authorization
Summary
A vulnerability was determined in Eleveo Call Recording Software 9.7.0. Affected by this vulnerability is an unknown functionality of the file /callrec/sendlogfile. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
Eleveo Call Recording Software Affected: 9.7.0
    cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
omarelshopky (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15377",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T16:44:09.588892Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T16:44:22.891Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eleveo:call_recording_software:*:*:*:*:*:*:*:*"
          ],
          "product": "Call Recording Software",
          "vendor": "Eleveo",
          "versions": [
            {
              "status": "affected",
              "version": "9.7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "omarelshopky (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in Eleveo Call Recording Software 9.7.0. Affected by this vulnerability is an unknown functionality of the file /callrec/sendlogfile. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T16:15:07.716Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377444 | Eleveo Call Recording Software sendlogfile improper authorization",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/377444"
        },
        {
          "name": "VDB-377444 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377444/cti"
        },
        {
          "name": "CVE-2026-15377 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15377"
        },
        {
          "name": "Submit #797462 | Eleveo Call Recording 9.7.0 Broken Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797462"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://drive.google.com/file/d/1qnAoRYVrMeB4fhtLV4XFZOVrzVM3UeHx/view?usp=sharing"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-10T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-10T10:52:38.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Eleveo Call Recording Software sendlogfile improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15377",
    "datePublished": "2026-07-10T16:15:07.716Z",
    "dateReserved": "2026-07-10T08:47:20.246Z",
    "dateUpdated": "2026-07-10T16:44:22.891Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-1

Phases: Architecture and Design, Operation

Description:

  • Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-17

Phases: Architecture and Design, Operation

Strategy: Environment Hardening

Description:

  • Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page