Common Weakness Enumeration

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2026-28444 (GCVE-0-2026-28444)

Vulnerability from cvelistv5 – Published: 2026-05-22 16:00 – Updated: 2026-05-22 16:44
VLAI
Title
Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace Data Disclosure
Summary
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim's resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
baptisteArno typebot.io Affected: < 3.16.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28444",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T16:42:43.239389Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T16:44:17.968Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "typebot.io",
          "vendor": "baptisteArno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.16.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim\u0027s resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T16:00:58.147Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-c63p-mqx5-75r7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-c63p-mqx5-75r7"
        },
        {
          "name": "https://github.com/baptisteArno/typebot.io/commit/d82b2d47c86ae614a08d4073c669ca64442faff2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/commit/d82b2d47c86ae614a08d4073c669ca64442faff2"
        },
        {
          "name": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0"
        }
      ],
      "source": {
        "advisory": "GHSA-c63p-mqx5-75r7",
        "discovery": "UNKNOWN"
      },
      "title": "Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace Data Disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28444",
    "datePublished": "2026-05-22T16:00:58.147Z",
    "dateReserved": "2026-02-27T15:54:05.140Z",
    "dateUpdated": "2026-05-22T16:44:17.968Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28469 (GCVE-0-2026-28469)

Vulnerability from cvelistv5 – Published: 2026-03-05 21:59 – Updated: 2026-03-09 18:02
VLAI
Title
OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity
Summary
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
OpenClaw OpenClaw Affected: 0 , < 2026.2.14 (custom)
Create a notification for this product.
Date Public
2026-02-15 00:00
Credits
Vincent Koc (@vincentkoc)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28469",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T18:01:17.718430Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T18:02:19.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/openclaw",
          "product": "OpenClaw",
          "vendor": "OpenClaw",
          "versions": [
            {
              "lessThan": "2026.2.14",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
                  "versionEndExcluding": "2026.2.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Vincent Koc (@vincentkoc)"
        }
      ],
      "datePublic": "2026-02-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.\u003c/p\u003e"
            }
          ],
          "value": "OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T16:38:21.343Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-rq6g-px6m-c248)",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248"
        },
        {
          "name": "Patch Commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e"
        },
        {
          "name": "VulnCheck Advisory: OpenClaw \u003c 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "OpenClaw \u003c 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-28469",
    "datePublished": "2026-03-05T21:59:45.613Z",
    "dateReserved": "2026-02-27T19:19:10.890Z",
    "dateUpdated": "2026-03-09T18:02:19.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28503 (GCVE-0-2026-28503)

Vulnerability from cvelistv5 – Published: 2026-03-26 18:55 – Updated: 2026-03-27 13:58
VLAI
Title
Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404
Summary
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)` without including `space=request.space` in the filter. This allows an admin user in Space A to trigger sync operations (Dropbox/Nextcloud/Local import) on Sync configurations belonging to Space B, and view the resulting sync logs. Version 2.6.0 patches the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
TandoorRecipes recipes Affected: < 2.6.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28503",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T13:47:43.517185Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T13:58:12.010Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "recipes",
          "vendor": "TandoorRecipes",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)` without including `space=request.space` in the filter. This allows an admin user in Space A to trigger sync operations (Dropbox/Nextcloud/Local import) on Sync configurations belonging to Space B, and view the resulting sync logs. Version 2.6.0 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T18:55:53.094Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6qpw-gwcq-68fv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6qpw-gwcq-68fv"
        },
        {
          "name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0"
        }
      ],
      "source": {
        "advisory": "GHSA-6qpw-gwcq-68fv",
        "discovery": "UNKNOWN"
      },
      "title": "Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28503",
    "datePublished": "2026-03-26T18:55:53.094Z",
    "dateReserved": "2026-02-27T20:57:47.709Z",
    "dateUpdated": "2026-03-27T13:58:12.010Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28696 (GCVE-0-2026-28696)

Vulnerability from cvelistv5 – Published: 2026-03-04 16:21 – Updated: 2026-03-04 18:00
VLAI
Title
Craft affected by IDOR via GraphQL @parseRefs
Summary
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
craftcms cms Affected: >= 4.0.0-RC1, < 4.17.0-beta.1
Affected: >= 5.0.0-RC1, < 5.9.0-beta.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28696",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T18:00:48.225156Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-04T18:00:59.824Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-RC1, \u003c 4.17.0-beta.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-RC1, \u003c 5.9.0-beta.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T16:21:43.199Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9"
        }
      ],
      "source": {
        "advisory": "GHSA-7x43-mpfg-r9wj",
        "discovery": "UNKNOWN"
      },
      "title": "Craft affected by IDOR via GraphQL @parseRefs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28696",
    "datePublished": "2026-03-04T16:21:43.199Z",
    "dateReserved": "2026-03-02T21:43:19.928Z",
    "dateUpdated": "2026-03-04T18:00:59.824Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28736 (GCVE-0-2026-28736)

Vulnerability from cvelistv5 – Published: 2026-04-03 13:25 – Updated: 2026-04-03 14:54 Unsupported When Assigned
VLAI
Title
Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)
Summary
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
Mattermost Focalboard Affected: 0 , ≤ 8.0 (semver)
Create a notification for this product.
Credits
Siam Thanat Hack Company Limited
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28736",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-03T14:53:54.422014Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-03T14:54:37.869Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Focalboard",
          "vendor": "Mattermost",
          "versions": [
            {
              "lessThanOrEqual": "8.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Siam Thanat Hack Company Limited"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim\u0027s fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-03T13:25:53.399Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "name": "Focalboard Repository (Unmaintained)",
          "tags": [
            "product"
          ],
          "url": "https://github.com/mattermost-community/focalboard"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2026-28736",
    "datePublished": "2026-04-03T13:25:53.399Z",
    "dateReserved": "2026-04-03T13:10:59.177Z",
    "dateUpdated": "2026-04-03T14:54:37.869Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28740 (GCVE-0-2026-28740)

Vulnerability from cvelistv5 – Published: 2026-07-03 20:19 – Updated: 2026-07-07 16:58
VLAI
Title
Gitea LFS object reuse bypasses Code-unit authorization
Summary
Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
Impacted products
Vendor Product Version
Gitea Gitea Open Source Git Server Affected: 0 , ≤ 1.26.2 (semver)
Create a notification for this product.
Credits
m2hcz
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28740",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-07T13:47:46.184675Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-07T16:58:26.934Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Gitea Open Source Git Server",
          "vendor": "Gitea",
          "versions": [
            {
              "lessThanOrEqual": "1.26.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "m2hcz"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T20:19:39.687Z",
        "orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
        "shortName": "Gitea"
      },
      "references": [
        {
          "name": "GitHub Security Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-2m9v-5q2g-58vq"
        },
        {
          "name": "GitHub Pull Request #38050",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/go-gitea/gitea/pull/38050"
        },
        {
          "name": "Gitea v1.26.3 Release",
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/go-gitea/gitea/releases/tag/v1.26.3"
        },
        {
          "name": "Gitea v1.26.4 Release Blog Post",
          "tags": [
            "release-notes"
          ],
          "url": "https://blog.gitea.com/release-of-1.26.3-and-1.26.4/"
        }
      ],
      "title": "Gitea LFS object reuse bypasses Code-unit authorization",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
    "assignerShortName": "Gitea",
    "cveId": "CVE-2026-28740",
    "datePublished": "2026-07-03T20:19:39.687Z",
    "dateReserved": "2026-03-03T03:25:59.982Z",
    "dateUpdated": "2026-07-07T16:58:26.934Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28747 (GCVE-0-2026-28747)

Vulnerability from cvelistv5 – Published: 2026-04-27 22:44 – Updated: 2026-04-28 14:35
VLAI
Title
Milesight Cameras Authorization Bypass Through User-Controlled Key
Summary
A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Milesight MS-Cxx63-PD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx64-xPD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx73-xPD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx75-xxPD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx83-xPD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx74-PA Affected: 0 , ≤ 3x.8.0.3-r11 (custom)
Create a notification for this product.
Milesight MS-C8477-HPG1 Affected: 0 , ≤ 63.8.0.4-r3 (custom)
Create a notification for this product.
Milesight MS-C8477-PC Affected: 0 , ≤ 48.8.0.4-r3 (custom)
Create a notification for this product.
Milesight MS-C5321-FPE Affected: 0 , ≤ 62.8.0.4-r5 (custom)
Create a notification for this product.
Milesight MS-Cxx72-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx62-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx52-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx66-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx66-xxxGPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx61-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx67-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx71-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx41-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx76-PE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx65-PE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx66-xxxG1 Affected: 0 , ≤ 63.8.0.5-r3 (custom)
Create a notification for this product.
Milesight MS-Cxx62-xxxG1 Affected: 0 , ≤ 63.8.0.5-r3 (custom)
Create a notification for this product.
Milesight MS-Cxx72-xxxG1 Affected: 0 , ≤ 63.8.0.5-r3 (custom)
Create a notification for this product.
Milesight MS-CQxx31-xxxG1 Affected: 0 , ≤ CQ_63.8.0.5-r1 (custom)
Create a notification for this product.
Milesight MS-CQxx68-xxxG1 Affected: 0 , ≤ CQ_63.8.0.5-r1 (custom)
Create a notification for this product.
Milesight MS-CQxx72-xxxG1 Affected: 0 , ≤ CQ_63.8.0.5-r1 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-NxE Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxC Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxE Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxG Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxH Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxT Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight PMC8266-FPE Affected: 0 , ≤ PO_61.8.0.4_LPR (custom)
Create a notification for this product.
Milesight PMC8266-FGPE Affected: 0 , ≤ PO_61.8.0.4_LPR (custom)
Create a notification for this product.
Milesight PM3322-E Affected: 0 , ≤ PI_61.8.0.3_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RIPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS5366-X12RIPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4RIPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RIVPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-RFIVPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4RIVPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-RFIVPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RIWG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4RIWG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS5510-GVH Affected: 0 , ≤ T_47.8.0.4_LPR-r7 (custom)
Create a notification for this product.
Milesight TS5510-GH Affected: 0 , ≤ T_47.8.0.4_LPR-r6 (custom)
Create a notification for this product.
Milesight TS5511-GVH Affected: 0 , ≤ T_47.8.0.4_LPR-r6 (custom)
Create a notification for this product.
Milesight TS2966-X12TPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS5366-X12PE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4PE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS2966-X12TVPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RVPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS5366-X12VPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4VPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4441-X36RPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4441-X36RE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RWE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4WE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight MS-C2964-RFLPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C2972-RFLPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C2966-RFLWPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2866-X4TPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2866-X4TVPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2866-X4TGPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2841-X36TPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2841-X36TPC/W Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2867-X5TPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2961-X12TPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS8266-FPC/P Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C2966-X12RLPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C2966-X12RLVPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C5366-X12LPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C5366-X12LVPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C5361-X12LPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-Cxx66-xxxxGOPC Affected: 0 , ≤ 45.8.0.2-AIoT-r4 (custom)
Create a notification for this product.
Milesight SC211 Affected: 0 , ≤ C_21.1.0.8-r4 (custom)
Create a notification for this product.
Milesight SP111 Affected: 0 , ≤ 52.8.0.4-r5 (custom)
Create a notification for this product.
Milesight MS-Cxx66-RFIPKG1 Affected: 0 , ≤ 63.8.0.4-r1-NX (custom)
Create a notification for this product.
Milesight MS-Cxx72-RFIPKG1 Affected: 0 , ≤ 63.8.0.4-r1-NX (custom)
Create a notification for this product.
Milesight MS-Cxx66-FIPKG1 Affected: 0 , ≤ 63.8.0.4-r1-NX (custom)
Create a notification for this product.
Milesight MS-Cxx72-FIPKG1 Affected: 0 , ≤ 63.8.0.4-r1-NX (custom)
Create a notification for this product.
Credits
Souvik Kandar reported these vulnerabilities to CISA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28747",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-28T13:40:48.550832Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-28T14:35:33.191Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx63-PD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx64-xPD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx73-xPD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx75-xxPD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx83-xPD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx74-PA",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "3x.8.0.3-r11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C8477-HPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C8477-PC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "48.8.0.4-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C5321-FPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "62.8.0.4-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx72-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx62-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx52-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-xxxGPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx61-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx67-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx71-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx41-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx76-PE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx65-PE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.5-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx62-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.5-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx72-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.5-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-CQxx31-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "CQ_63.8.0.5-r1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-CQxx68-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "CQ_63.8.0.5-r1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-CQxx72-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "CQ_63.8.0.5-r1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-NxE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxG",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxH",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxT",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PMC8266-FPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "PO_61.8.0.4_LPR",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PMC8266-FGPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "PO_61.8.0.4_LPR",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PM3322-E",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "PI_61.8.0.3_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RIPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5366-X12RIPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4RIPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RIVPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-RFIVPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4RIVPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-RFIVPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RIWG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4RIWG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5510-GVH",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_47.8.0.4_LPR-r7",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5510-GH",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_47.8.0.4_LPR-r6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5511-GVH",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_47.8.0.4_LPR-r6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2966-X12TPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5366-X12PE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4PE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2966-X12TVPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RVPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5366-X12VPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4VPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4441-X36RPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4441-X36RE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RWE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4WE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2964-RFLPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2972-RFLPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2966-RFLWPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2866-X4TPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2866-X4TVPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2866-X4TGPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2841-X36TPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2841-X36TPC/W",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2867-X5TPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2961-X12TPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-FPC/P",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2966-X12RLPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2966-X12RLVPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C5366-X12LPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C5366-X12LVPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C5361-X12LPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-xxxxGOPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "45.8.0.2-AIoT-r4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "SC211",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "C_21.1.0.8-r4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "SP111",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "52.8.0.4-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-RFIPKG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r1-NX",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx72-RFIPKG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r1-NX",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-FIPKG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r1-NX",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx72-FIPKG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r1-NX",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Souvik Kandar reported these vulnerabilities to CISA"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.\u0026nbsp;"
            }
          ],
          "value": "A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T23:31:53.318Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json"
        },
        {
          "url": "https://www.milesight.com/support/download/firmware"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMilesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.\u0026nbsp;\u003cbr\u003e\u003ca href=\"https://www.milesight.com/support/download/firmware\" title=\"(opens in a new window)\"\u003ehttps://www.milesight.com/support/download/firmware\u003c/a\u003e\u003c/p\u003e\u003cp\u003eMS-Cxx63-PD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx64-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx73-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx75-xxPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx83-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx74-PA: Update to 3x.8.0.3-r13\u003c/p\u003e\u003cp\u003eMS-C8477-HPG1: Update to 63.8.0.4-r4\u003c/p\u003e\u003cp\u003e\u0026nbsp;MS-C8477-PC: Update to 48.8.0.4-r4\u003c/p\u003e\u003cp\u003eMS-C5321-FPE: Update to 62.8.0.4-r6\u003c/p\u003e\u003cp\u003eMS-Cxx72-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx62-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx52-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxGPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx61-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx67-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx71-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx41-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx76-PE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx65-PE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-Cxx62-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-Cxx72-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-CQxx31-xxxG1: Update to CQ_63.8.0.5-r2\u0026nbsp;\u003c/p\u003e\u003cp\u003eMS-CQxx68-xxxG1: Update to CQ_63.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-CQxx72-xxxG1: Update to CQ_63.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Nxxxx-NxE: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxC: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxE: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxG: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxH: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxT: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003ePMC8266-FPE: Update to PO_61.8.0.4-r1\u003c/p\u003e\u003cp\u003ePMC8266-FGPE: Update to PO_61.8.0.4-r1\u003c/p\u003e\u003cp\u003ePM3322-E: Update to PI_61.8.0.3-r5\u003c/p\u003e\u003cp\u003eTS4466-X4RIPG1: Update to T_63.8.0.4-r4\u0026nbsp;\u003c/p\u003e\u003cp\u003eTS5366-X12RIPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-RFIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-RFIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RIWG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIWG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5510-GVH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS5510-GH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS5511-GVH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS2966-X12TPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5366-X12PE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4PE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS2966-X12TVPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RVPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5366-X12VPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4VPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4441-X36RPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4441-X36RE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RWE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4WE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eMS-C2964-RFLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2972-RFLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-RFLWPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TGPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2841-X36TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2841-X36TPC/W: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2867-X5TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2961-X12TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS8266-FPC/P: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-X12RLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-X12RLVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5366-X12LPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5366-X12LVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5361-X12LPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxxGOPC: Update to 45.8.0.2-AIoT-r5\u003c/p\u003e\u003cp\u003eSC211: Update to C_21.1.0.8-r5\u003c/p\u003e\u003cp\u003eSP111: Update to 52.8.0.4-r6\u003c/p\u003e\u003cp\u003eMS-Cxx66-RFIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx72-RFIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx66-FIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx72-FIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e"
            }
          ],
          "value": "Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.\u00a0\n https://www.milesight.com/support/download/firmware \n\nMS-Cxx63-PD: Update to 51.7.0.77-r13\n\nMS-Cxx64-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx73-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx75-xxPD: Update to 51.7.0.77-r13\n\nMS-Cxx83-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx74-PA: Update to 3x.8.0.3-r13\n\nMS-C8477-HPG1: Update to 63.8.0.4-r4\n\n\u00a0MS-C8477-PC: Update to 48.8.0.4-r4\n\nMS-C5321-FPE: Update to 62.8.0.4-r6\n\nMS-Cxx72-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx62-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx52-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxGPE: Update to 61.8.0.5-r2\n\nMS-Cxx61-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx67-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx71-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx41-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx76-PE: Update to 61.8.0.5-r2\n\nMS-Cxx65-PE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxG1: Update to 63.8.0.5-r4\n\nMS-Cxx62-xxxG1: Update to 63.8.0.5-r4\n\nMS-Cxx72-xxxG1: Update to 63.8.0.5-r4\n\nMS-CQxx31-xxxG1: Update to CQ_63.8.0.5-r2\u00a0\n\nMS-CQxx68-xxxG1: Update to CQ_63.8.0.5-r2\n\nMS-CQxx72-xxxG1: Update to CQ_63.8.0.5-r2\n\nMS-Nxxxx-NxE: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxC: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxE: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxG: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxH: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxT: Update to 7x.9.0.19-r6\n\nPMC8266-FPE: Update to PO_61.8.0.4-r1\n\nPMC8266-FGPE: Update to PO_61.8.0.4-r1\n\nPM3322-E: Update to PI_61.8.0.3-r5\n\nTS4466-X4RIPG1: Update to T_63.8.0.4-r4\u00a0\n\nTS5366-X12RIPG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIPG1: Update to T_63.8.0.4-r4\n\nTS4466-X4RIVPG1: Update to T_63.8.0.4-r4\n\nTS4466-RFIVPG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIVPG1: Update to T_63.8.0.4-r4\n\nTS8266-RFIVPG1: Update to T_63.8.0.4-r4\n\nTS4466-X4RIWG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIWG1: Update to T_63.8.0.4-r4\n\nTS5510-GVH: Update to T_47.8.0.4-r8\n\nTS5510-GH: Update to T_47.8.0.4-r8\n\nTS5511-GVH: Update to T_47.8.0.4-r8\n\nTS2966-X12TPE: Update to T_61.8.0.4-r4\n\nTS4466-X4RPE: Update to T_61.8.0.4-r4\n\nTS5366-X12PE: Update to T_61.8.0.4-r4\n\nTS8266-X4PE: Update to T_61.8.0.4-r4\n\nTS2966-X12TVPE: Update to T_61.8.0.4-r4\n\nTS4466-X4RVPE: Update to T_61.8.0.4-r4\n\nTS5366-X12VPE: Update to T_61.8.0.4-r4\n\nTS8266-X4VPE: Update to T_61.8.0.4-r4\n\nTS4441-X36RPE: Update to T_61.8.0.4-r4\n\nTS4441-X36RE: Update to T_61.8.0.4-r4\n\nTS4466-X4RWE: Update to T_61.8.0.4-r4\n\nTS8266-X4WE: Update to T_61.8.0.4-r4\n\nMS-C2964-RFLPC: Update to T_45.8.0.3-r10\n\nMS-C2972-RFLPC: Update to T_45.8.0.3-r10\n\nMS-C2966-RFLWPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TVPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TGPC: Update to T_45.8.0.3-r10\n\nTS2841-X36TPC: Update to T_45.8.0.3-r10\n\nTS2841-X36TPC/W: Update to T_45.8.0.3-r10\n\nTS2867-X5TPC: Update to T_45.8.0.3-r10\n\nTS2961-X12TPC: Update to T_45.8.0.3-r10\n\nTS8266-FPC/P: Update to T_45.8.0.3-r10\n\nMS-C2966-X12RLPC: Update to T_45.8.0.3-r10\n\nMS-C2966-X12RLVPC: Update to T_45.8.0.3-r10\n\nMS-C5366-X12LPC: Update to T_45.8.0.3-r10\n\nMS-C5366-X12LVPC: Update to T_45.8.0.3-r10\n\nMS-C5361-X12LPC: Update to T_45.8.0.3-r10\n\nMS-Cxx66-xxxxGOPC: Update to 45.8.0.2-AIoT-r5\n\nSC211: Update to C_21.1.0.8-r5\n\nSP111: Update to 52.8.0.4-r6\n\nMS-Cxx66-RFIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx72-RFIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx66-FIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx72-FIPKG1: Update to 63.8.0.5-r2-NX"
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMilesight asks all users to report potential security vulnerabilities to security@milesight.com.\u003cbr\u003e\u003ca href=\"mailto:security@milesight.com\"\u003emailto:security@milesight.com\u003c/a\u003e\u003cbr\u003eLearn more: Milesight Vulnerability Reporting Policy\u003cbr\u003e\u003ca href=\"https://www.milesight.com/legal/vulnerability-report\" title=\"(opens in a new window)\"\u003ehttps://www.milesight.com/legal/vulnerability-report\u003c/a\u003e\u003c/p\u003e"
            }
          ],
          "value": "Milesight asks all users to report potential security vulnerabilities to security@milesight.com.\n mailto:security@milesight.com \nLearn more: Milesight Vulnerability Reporting Policy\n https://www.milesight.com/legal/vulnerability-report"
        }
      ],
      "source": {
        "advisory": "ICSA-26-113-03",
        "discovery": "EXTERNAL"
      },
      "title": "Milesight Cameras Authorization Bypass Through User-Controlled Key",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-28747",
    "datePublished": "2026-04-27T22:44:52.012Z",
    "dateReserved": "2026-03-12T17:51:09.913Z",
    "dateUpdated": "2026-04-28T14:35:33.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28781 (GCVE-0-2026-28781)

Vulnerability from cvelistv5 – Published: 2026-03-04 16:31 – Updated: 2026-03-04 17:36
VLAI
Title
Craft Affected by Entries Authorship Spoofing via Mass Assignment
Summary
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
Impacted products
Vendor Product Version
craftcms cms Affected: >= 5.0.0-RC1, < 5.9.0-beta.1
Affected: >= 4.0.0-RC1, < 4.17.0-beta.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28781",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T17:36:36.759532Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-04T17:36:52.722Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-RC1, \u003c 5.9.0-beta.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-RC1, \u003c 4.17.0-beta.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with \"Create Entries\" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T16:31:39.357Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"
        }
      ],
      "source": {
        "advisory": "GHSA-2xfc-g69j-x2mp",
        "discovery": "UNKNOWN"
      },
      "title": "Craft Affected by Entries Authorship Spoofing via Mass Assignment"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28781",
    "datePublished": "2026-03-04T16:31:39.357Z",
    "dateReserved": "2026-03-03T14:25:19.244Z",
    "dateUpdated": "2026-03-04T17:36:52.722Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28782 (GCVE-0-2026-28782)

Vulnerability from cvelistv5 – Published: 2026-03-04 16:36 – Updated: 2026-03-04 17:35
VLAI
Title
Craft has a Permission Bypass and IDOR in Duplicate Entry Action
Summary
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
craftcms cms Affected: >= 5.0.0-RC1, < 5.9.0-beta.1
Affected: >= 4.0.0-RC1, < 4.17.0-beta.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28782",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T17:34:53.312489Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-04T17:35:08.922Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-RC1, \u003c 5.9.0-beta.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-RC1, \u003c 4.17.0-beta.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users\u0027 entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T16:36:49.511Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"
        }
      ],
      "source": {
        "advisory": "GHSA-jxm3-pmm2-9gf6",
        "discovery": "UNKNOWN"
      },
      "title": "Craft has a Permission Bypass and IDOR in Duplicate Entry Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28782",
    "datePublished": "2026-03-04T16:36:49.511Z",
    "dateReserved": "2026-03-03T14:25:19.244Z",
    "dateUpdated": "2026-03-04T17:35:08.922Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28788 (GCVE-0-2026-28788)

Vulnerability from cvelistv5 – Published: 2026-03-26 23:38 – Updated: 2026-03-27 20:08
VLAI
Title
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
open-webui open-webui Affected: < 0.8.6
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28788",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T20:08:10.287390Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T20:08:17.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.8.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file\u0027s content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T23:38:20.726Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j"
        }
      ],
      "source": {
        "advisory": "GHSA-jjp7-g2jw-wh3j",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI\u0027s process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28788",
    "datePublished": "2026-03-26T23:38:20.726Z",
    "dateReserved": "2026-03-03T14:25:19.244Z",
    "dateUpdated": "2026-03-27T20:08:17.320Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Architecture and Design

Description:

  • For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation

Phases: Architecture and Design, Implementation

Description:

  • Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation

Phase: Architecture and Design

Description:

  • Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page