Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-28444 (GCVE-0-2026-28444)
Vulnerability from cvelistv5 – Published: 2026-05-22 16:00 – Updated: 2026-05-22 16:44
VLAI
EPSS
VEX
Title
Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace Data Disclosure
Summary
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim's resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/baptisteArno/typebot.io/securi… | x_refsource_CONFIRM |
| https://github.com/baptisteArno/typebot.io/commit… | x_refsource_MISC |
| https://github.com/baptisteArno/typebot.io/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| baptisteArno | typebot.io |
Affected:
< 3.16.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T16:42:43.239389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T16:44:17.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "typebot.io",
"vendor": "baptisteArno",
"versions": [
{
"status": "affected",
"version": "\u003c 3.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim\u0027s resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T16:00:58.147Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-c63p-mqx5-75r7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-c63p-mqx5-75r7"
},
{
"name": "https://github.com/baptisteArno/typebot.io/commit/d82b2d47c86ae614a08d4073c669ca64442faff2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/baptisteArno/typebot.io/commit/d82b2d47c86ae614a08d4073c669ca64442faff2"
},
{
"name": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0"
}
],
"source": {
"advisory": "GHSA-c63p-mqx5-75r7",
"discovery": "UNKNOWN"
},
"title": "Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace Data Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28444",
"datePublished": "2026-05-22T16:00:58.147Z",
"dateReserved": "2026-02-27T15:54:05.140Z",
"dateUpdated": "2026-05-22T16:44:17.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28469 (GCVE-0-2026-28469)
Vulnerability from cvelistv5 – Published: 2026-03-05 21:59 – Updated: 2026-03-09 18:02
VLAI
EPSS
VEX
Title
OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity
Summary
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/61d59… | patch |
| https://www.vulncheck.com/advisories/openclaw-cro… | third-party-advisory |
Impacted products
Date Public
2026-02-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T18:01:17.718430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T18:02:19.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.2.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.2.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Vincent Koc (@vincentkoc)"
}
],
"datePublic": "2026-02-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.\u003c/p\u003e"
}
],
"value": "OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:38:21.343Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-rq6g-px6m-c248)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OpenClaw \u003c 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-28469",
"datePublished": "2026-03-05T21:59:45.613Z",
"dateReserved": "2026-02-27T19:19:10.890Z",
"dateUpdated": "2026-03-09T18:02:19.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28503 (GCVE-0-2026-28503)
Vulnerability from cvelistv5 – Published: 2026-03-26 18:55 – Updated: 2026-03-27 13:58
VLAI
EPSS
VEX
Title
Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404
Summary
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)` without including `space=request.space` in the filter. This allows an admin user in Space A to trigger sync operations (Dropbox/Nextcloud/Local import) on Sync configurations belonging to Space B, and view the resulting sync logs. Version 2.6.0 patches the issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/TandoorRecipes/recipes/securit… | x_refsource_CONFIRM |
| https://github.com/TandoorRecipes/recipes/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TandoorRecipes | recipes |
Affected:
< 2.6.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:47:43.517185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:58:12.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "recipes",
"vendor": "TandoorRecipes",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)` without including `space=request.space` in the filter. This allows an admin user in Space A to trigger sync operations (Dropbox/Nextcloud/Local import) on Sync configurations belonging to Space B, and view the resulting sync logs. Version 2.6.0 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T18:55:53.094Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6qpw-gwcq-68fv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6qpw-gwcq-68fv"
},
{
"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0"
}
],
"source": {
"advisory": "GHSA-6qpw-gwcq-68fv",
"discovery": "UNKNOWN"
},
"title": "Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28503",
"datePublished": "2026-03-26T18:55:53.094Z",
"dateReserved": "2026-02-27T20:57:47.709Z",
"dateUpdated": "2026-03-27T13:58:12.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28696 (GCVE-0-2026-28696)
Vulnerability from cvelistv5 – Published: 2026-03-04 16:21 – Updated: 2026-03-04 18:00
VLAI
EPSS
VEX
Title
Craft affected by IDOR via GraphQL @parseRefs
Summary
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/craftcms/cms/security/advisori… | x_refsource_CONFIRM |
| https://github.com/craftcms/cms/commit/4d98a07e47… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T18:00:48.225156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T18:00:59.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.17.0-beta.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.9.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:21:43.199Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj"
},
{
"name": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9"
}
],
"source": {
"advisory": "GHSA-7x43-mpfg-r9wj",
"discovery": "UNKNOWN"
},
"title": "Craft affected by IDOR via GraphQL @parseRefs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28696",
"datePublished": "2026-03-04T16:21:43.199Z",
"dateReserved": "2026-03-02T21:43:19.928Z",
"dateUpdated": "2026-03-04T18:00:59.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28736 (GCVE-0-2026-28736)
Vulnerability from cvelistv5 – Published: 2026-04-03 13:25 – Updated: 2026-04-03 14:54 Unsupported When Assigned
VLAI
EPSS
VEX
Title
Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)
Summary
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mattermost-community/focalboard | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Focalboard |
Affected:
0 , ≤ 8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28736",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T14:53:54.422014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T14:54:37.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Focalboard",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Siam Thanat Hack Company Limited"
}
],
"descriptions": [
{
"lang": "en",
"value": "** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim\u0027s fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:25:53.399Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "Focalboard Repository (Unmaintained)",
"tags": [
"product"
],
"url": "https://github.com/mattermost-community/focalboard"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)"
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-28736",
"datePublished": "2026-04-03T13:25:53.399Z",
"dateReserved": "2026-04-03T13:10:59.177Z",
"dateUpdated": "2026-04-03T14:54:37.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28740 (GCVE-0-2026-28740)
Vulnerability from cvelistv5 – Published: 2026-07-03 20:19 – Updated: 2026-07-07 16:58
VLAI
EPSS
VEX
Title
Gitea LFS object reuse bypasses Code-unit authorization
Summary
Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/go-gitea/gitea/security/adviso… | vendor-advisory |
| https://github.com/go-gitea/gitea/pull/38050 | patch |
| https://github.com/go-gitea/gitea/releases/tag/v1.26.3 | release-notes |
| https://blog.gitea.com/release-of-1.26.3-and-1.26.4/ | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.26.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T13:47:46.184675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:58:26.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.26.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "m2hcz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T20:19:39.687Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-2m9v-5q2g-58vq"
},
{
"name": "GitHub Pull Request #38050",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/38050"
},
{
"name": "Gitea v1.26.3 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.26.3"
},
{
"name": "Gitea v1.26.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.26.3-and-1.26.4/"
}
],
"title": "Gitea LFS object reuse bypasses Code-unit authorization",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-28740",
"datePublished": "2026-07-03T20:19:39.687Z",
"dateReserved": "2026-03-03T03:25:59.982Z",
"dateUpdated": "2026-07-07T16:58:26.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28747 (GCVE-0-2026-28747)
Vulnerability from cvelistv5 – Published: 2026-04-27 22:44 – Updated: 2026-04-28 14:35
VLAI
EPSS
VEX
Title
Milesight Cameras Authorization Bypass Through User-Controlled Key
Summary
A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
82 products
| Vendor | Product | Version | |
|---|---|---|---|
| Milesight | MS-Cxx63-PD |
Affected:
0 , ≤ 51.7.0.77-r12
(custom)
|
|
| Milesight | MS-Cxx64-xPD |
Affected:
0 , ≤ 51.7.0.77-r12
(custom)
|
|
| Milesight | MS-Cxx73-xPD |
Affected:
0 , ≤ 51.7.0.77-r12
(custom)
|
|
| Milesight | MS-Cxx75-xxPD |
Affected:
0 , ≤ 51.7.0.77-r12
(custom)
|
|
| Milesight | MS-Cxx83-xPD |
Affected:
0 , ≤ 51.7.0.77-r12
(custom)
|
|
| Milesight | MS-Cxx74-PA |
Affected:
0 , ≤ 3x.8.0.3-r11
(custom)
|
|
| Milesight | MS-C8477-HPG1 |
Affected:
0 , ≤ 63.8.0.4-r3
(custom)
|
|
| Milesight | MS-C8477-PC |
Affected:
0 , ≤ 48.8.0.4-r3
(custom)
|
|
| Milesight | MS-C5321-FPE |
Affected:
0 , ≤ 62.8.0.4-r5
(custom)
|
|
| Milesight | MS-Cxx72-xxxPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx62-xxxPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx52-xxxPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx66-xxxPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx66-xxxGPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx61-xxxPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx67-xxxPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx71-xxxPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx41-xxxPE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx76-PE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx65-PE |
Affected:
0 , ≤ 61.8.0.5-r2
(custom)
|
|
| Milesight | MS-Cxx66-xxxG1 |
Affected:
0 , ≤ 63.8.0.5-r3
(custom)
|
|
| Milesight | MS-Cxx62-xxxG1 |
Affected:
0 , ≤ 63.8.0.5-r3
(custom)
|
|
| Milesight | MS-Cxx72-xxxG1 |
Affected:
0 , ≤ 63.8.0.5-r3
(custom)
|
|
| Milesight | MS-CQxx31-xxxG1 |
Affected:
0 , ≤ CQ_63.8.0.5-r1
(custom)
|
|
| Milesight | MS-CQxx68-xxxG1 |
Affected:
0 , ≤ CQ_63.8.0.5-r1
(custom)
|
|
| Milesight | MS-CQxx72-xxxG1 |
Affected:
0 , ≤ CQ_63.8.0.5-r1
(custom)
|
|
| Milesight | MS-Nxxxx-NxE |
Affected:
0 , ≤ 7x.9.0.19-r5
(custom)
|
|
| Milesight | MS-Nxxxx-xxC |
Affected:
0 , ≤ 7x.9.0.19-r5
(custom)
|
|
| Milesight | MS-Nxxxx-xxE |
Affected:
0 , ≤ 7x.9.0.19-r5
(custom)
|
|
| Milesight | MS-Nxxxx-xxG |
Affected:
0 , ≤ 7x.9.0.19-r5
(custom)
|
|
| Milesight | MS-Nxxxx-xxH |
Affected:
0 , ≤ 7x.9.0.19-r5
(custom)
|
|
| Milesight | MS-Nxxxx-xxT |
Affected:
0 , ≤ 7x.9.0.19-r5
(custom)
|
|
| Milesight | PMC8266-FPE |
Affected:
0 , ≤ PO_61.8.0.4_LPR
(custom)
|
|
| Milesight | PMC8266-FGPE |
Affected:
0 , ≤ PO_61.8.0.4_LPR
(custom)
|
|
| Milesight | PM3322-E |
Affected:
0 , ≤ PI_61.8.0.3_LPR-r3
(custom)
|
|
| Milesight | TS4466-X4RIPG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS5366-X12RIPG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS8266-X4RIPG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS4466-X4RIVPG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS4466-RFIVPG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS8266-X4RIVPG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS8266-RFIVPG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS4466-X4RIWG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS8266-X4RIWG1 |
Affected:
0 , ≤ T_63.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS5510-GVH |
Affected:
0 , ≤ T_47.8.0.4_LPR-r7
(custom)
|
|
| Milesight | TS5510-GH |
Affected:
0 , ≤ T_47.8.0.4_LPR-r6
(custom)
|
|
| Milesight | TS5511-GVH |
Affected:
0 , ≤ T_47.8.0.4_LPR-r6
(custom)
|
|
| Milesight | TS2966-X12TPE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS4466-X4RPE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS5366-X12PE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS8266-X4PE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS2966-X12TVPE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS4466-X4RVPE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS5366-X12VPE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS8266-X4VPE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS4441-X36RPE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS4441-X36RE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS4466-X4RWE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | TS8266-X4WE |
Affected:
0 , ≤ T_61.8.0.4_LPR-r3
(custom)
|
|
| Milesight | MS-C2964-RFLPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | MS-C2972-RFLPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | MS-C2966-RFLWPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | TS2866-X4TPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | TS2866-X4TVPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | TS2866-X4TGPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | TS2841-X36TPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | TS2841-X36TPC/W |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | TS2867-X5TPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | TS2961-X12TPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | TS8266-FPC/P |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | MS-C2966-X12RLPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | MS-C2966-X12RLVPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | MS-C5366-X12LPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | MS-C5366-X12LVPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | MS-C5361-X12LPC |
Affected:
0 , ≤ T_45.8.0.3-r9
(custom)
|
|
| Milesight | MS-Cxx66-xxxxGOPC |
Affected:
0 , ≤ 45.8.0.2-AIoT-r4
(custom)
|
|
| Milesight | SC211 |
Affected:
0 , ≤ C_21.1.0.8-r4
(custom)
|
|
| Milesight | SP111 |
Affected:
0 , ≤ 52.8.0.4-r5
(custom)
|
|
| Milesight | MS-Cxx66-RFIPKG1 |
Affected:
0 , ≤ 63.8.0.4-r1-NX
(custom)
|
|
| Milesight | MS-Cxx72-RFIPKG1 |
Affected:
0 , ≤ 63.8.0.4-r1-NX
(custom)
|
|
| Milesight | MS-Cxx66-FIPKG1 |
Affected:
0 , ≤ 63.8.0.4-r1-NX
(custom)
|
|
| Milesight | MS-Cxx72-FIPKG1 |
Affected:
0 , ≤ 63.8.0.4-r1-NX
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T13:40:48.550832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:35:33.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MS-Cxx63-PD",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "51.7.0.77-r12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx64-xPD",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "51.7.0.77-r12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx73-xPD",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "51.7.0.77-r12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx75-xxPD",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "51.7.0.77-r12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx83-xPD",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "51.7.0.77-r12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx74-PA",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "3x.8.0.3-r11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C8477-HPG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "63.8.0.4-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C8477-PC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "48.8.0.4-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C5321-FPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "62.8.0.4-r5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx72-xxxPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx62-xxxPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx52-xxxPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx66-xxxPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx66-xxxGPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx61-xxxPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx67-xxxPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx71-xxxPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx41-xxxPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx76-PE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx65-PE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "61.8.0.5-r2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx66-xxxG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "63.8.0.5-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx62-xxxG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "63.8.0.5-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx72-xxxG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "63.8.0.5-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-CQxx31-xxxG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "CQ_63.8.0.5-r1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-CQxx68-xxxG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "CQ_63.8.0.5-r1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-CQxx72-xxxG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "CQ_63.8.0.5-r1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Nxxxx-NxE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "7x.9.0.19-r5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Nxxxx-xxC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "7x.9.0.19-r5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Nxxxx-xxE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "7x.9.0.19-r5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Nxxxx-xxG",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "7x.9.0.19-r5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Nxxxx-xxH",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "7x.9.0.19-r5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Nxxxx-xxT",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "7x.9.0.19-r5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PMC8266-FPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "PO_61.8.0.4_LPR",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PMC8266-FGPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "PO_61.8.0.4_LPR",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PM3322-E",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "PI_61.8.0.3_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4466-X4RIPG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS5366-X12RIPG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS8266-X4RIPG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4466-X4RIVPG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4466-RFIVPG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS8266-X4RIVPG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS8266-RFIVPG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4466-X4RIWG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS8266-X4RIWG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_63.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS5510-GVH",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_47.8.0.4_LPR-r7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS5510-GH",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_47.8.0.4_LPR-r6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS5511-GVH",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_47.8.0.4_LPR-r6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2966-X12TPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4466-X4RPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS5366-X12PE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS8266-X4PE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2966-X12TVPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4466-X4RVPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS5366-X12VPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS8266-X4VPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4441-X36RPE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4441-X36RE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS4466-X4RWE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS8266-X4WE",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_61.8.0.4_LPR-r3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C2964-RFLPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C2972-RFLPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C2966-RFLWPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2866-X4TPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2866-X4TVPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2866-X4TGPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2841-X36TPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2841-X36TPC/W",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2867-X5TPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS2961-X12TPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TS8266-FPC/P",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C2966-X12RLPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C2966-X12RLVPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C5366-X12LPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C5366-X12LVPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-C5361-X12LPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "T_45.8.0.3-r9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx66-xxxxGOPC",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "45.8.0.2-AIoT-r4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SC211",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "C_21.1.0.8-r4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SP111",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "52.8.0.4-r5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx66-RFIPKG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "63.8.0.4-r1-NX",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx72-RFIPKG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "63.8.0.4-r1-NX",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx66-FIPKG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "63.8.0.4-r1-NX",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MS-Cxx72-FIPKG1",
"vendor": "Milesight",
"versions": [
{
"lessThanOrEqual": "63.8.0.4-r1-NX",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Souvik Kandar reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.\u0026nbsp;"
}
],
"value": "A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T23:31:53.318Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json"
},
{
"url": "https://www.milesight.com/support/download/firmware"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMilesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.\u0026nbsp;\u003cbr\u003e\u003ca href=\"https://www.milesight.com/support/download/firmware\" title=\"(opens in a new window)\"\u003ehttps://www.milesight.com/support/download/firmware\u003c/a\u003e\u003c/p\u003e\u003cp\u003eMS-Cxx63-PD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx64-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx73-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx75-xxPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx83-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx74-PA: Update to 3x.8.0.3-r13\u003c/p\u003e\u003cp\u003eMS-C8477-HPG1: Update to 63.8.0.4-r4\u003c/p\u003e\u003cp\u003e\u0026nbsp;MS-C8477-PC: Update to 48.8.0.4-r4\u003c/p\u003e\u003cp\u003eMS-C5321-FPE: Update to 62.8.0.4-r6\u003c/p\u003e\u003cp\u003eMS-Cxx72-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx62-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx52-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxGPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx61-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx67-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx71-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx41-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx76-PE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx65-PE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-Cxx62-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-Cxx72-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-CQxx31-xxxG1: Update to CQ_63.8.0.5-r2\u0026nbsp;\u003c/p\u003e\u003cp\u003eMS-CQxx68-xxxG1: Update to CQ_63.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-CQxx72-xxxG1: Update to CQ_63.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Nxxxx-NxE: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxC: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxE: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxG: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxH: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxT: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003ePMC8266-FPE: Update to PO_61.8.0.4-r1\u003c/p\u003e\u003cp\u003ePMC8266-FGPE: Update to PO_61.8.0.4-r1\u003c/p\u003e\u003cp\u003ePM3322-E: Update to PI_61.8.0.3-r5\u003c/p\u003e\u003cp\u003eTS4466-X4RIPG1: Update to T_63.8.0.4-r4\u0026nbsp;\u003c/p\u003e\u003cp\u003eTS5366-X12RIPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-RFIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-RFIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RIWG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIWG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5510-GVH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS5510-GH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS5511-GVH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS2966-X12TPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5366-X12PE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4PE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS2966-X12TVPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RVPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5366-X12VPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4VPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4441-X36RPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4441-X36RE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RWE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4WE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eMS-C2964-RFLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2972-RFLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-RFLWPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TGPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2841-X36TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2841-X36TPC/W: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2867-X5TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2961-X12TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS8266-FPC/P: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-X12RLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-X12RLVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5366-X12LPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5366-X12LVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5361-X12LPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxxGOPC: Update to 45.8.0.2-AIoT-r5\u003c/p\u003e\u003cp\u003eSC211: Update to C_21.1.0.8-r5\u003c/p\u003e\u003cp\u003eSP111: Update to 52.8.0.4-r6\u003c/p\u003e\u003cp\u003eMS-Cxx66-RFIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx72-RFIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx66-FIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx72-FIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e"
}
],
"value": "Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.\u00a0\n https://www.milesight.com/support/download/firmware \n\nMS-Cxx63-PD: Update to 51.7.0.77-r13\n\nMS-Cxx64-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx73-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx75-xxPD: Update to 51.7.0.77-r13\n\nMS-Cxx83-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx74-PA: Update to 3x.8.0.3-r13\n\nMS-C8477-HPG1: Update to 63.8.0.4-r4\n\n\u00a0MS-C8477-PC: Update to 48.8.0.4-r4\n\nMS-C5321-FPE: Update to 62.8.0.4-r6\n\nMS-Cxx72-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx62-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx52-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxGPE: Update to 61.8.0.5-r2\n\nMS-Cxx61-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx67-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx71-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx41-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx76-PE: Update to 61.8.0.5-r2\n\nMS-Cxx65-PE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxG1: Update to 63.8.0.5-r4\n\nMS-Cxx62-xxxG1: Update to 63.8.0.5-r4\n\nMS-Cxx72-xxxG1: Update to 63.8.0.5-r4\n\nMS-CQxx31-xxxG1: Update to CQ_63.8.0.5-r2\u00a0\n\nMS-CQxx68-xxxG1: Update to CQ_63.8.0.5-r2\n\nMS-CQxx72-xxxG1: Update to CQ_63.8.0.5-r2\n\nMS-Nxxxx-NxE: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxC: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxE: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxG: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxH: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxT: Update to 7x.9.0.19-r6\n\nPMC8266-FPE: Update to PO_61.8.0.4-r1\n\nPMC8266-FGPE: Update to PO_61.8.0.4-r1\n\nPM3322-E: Update to PI_61.8.0.3-r5\n\nTS4466-X4RIPG1: Update to T_63.8.0.4-r4\u00a0\n\nTS5366-X12RIPG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIPG1: Update to T_63.8.0.4-r4\n\nTS4466-X4RIVPG1: Update to T_63.8.0.4-r4\n\nTS4466-RFIVPG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIVPG1: Update to T_63.8.0.4-r4\n\nTS8266-RFIVPG1: Update to T_63.8.0.4-r4\n\nTS4466-X4RIWG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIWG1: Update to T_63.8.0.4-r4\n\nTS5510-GVH: Update to T_47.8.0.4-r8\n\nTS5510-GH: Update to T_47.8.0.4-r8\n\nTS5511-GVH: Update to T_47.8.0.4-r8\n\nTS2966-X12TPE: Update to T_61.8.0.4-r4\n\nTS4466-X4RPE: Update to T_61.8.0.4-r4\n\nTS5366-X12PE: Update to T_61.8.0.4-r4\n\nTS8266-X4PE: Update to T_61.8.0.4-r4\n\nTS2966-X12TVPE: Update to T_61.8.0.4-r4\n\nTS4466-X4RVPE: Update to T_61.8.0.4-r4\n\nTS5366-X12VPE: Update to T_61.8.0.4-r4\n\nTS8266-X4VPE: Update to T_61.8.0.4-r4\n\nTS4441-X36RPE: Update to T_61.8.0.4-r4\n\nTS4441-X36RE: Update to T_61.8.0.4-r4\n\nTS4466-X4RWE: Update to T_61.8.0.4-r4\n\nTS8266-X4WE: Update to T_61.8.0.4-r4\n\nMS-C2964-RFLPC: Update to T_45.8.0.3-r10\n\nMS-C2972-RFLPC: Update to T_45.8.0.3-r10\n\nMS-C2966-RFLWPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TVPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TGPC: Update to T_45.8.0.3-r10\n\nTS2841-X36TPC: Update to T_45.8.0.3-r10\n\nTS2841-X36TPC/W: Update to T_45.8.0.3-r10\n\nTS2867-X5TPC: Update to T_45.8.0.3-r10\n\nTS2961-X12TPC: Update to T_45.8.0.3-r10\n\nTS8266-FPC/P: Update to T_45.8.0.3-r10\n\nMS-C2966-X12RLPC: Update to T_45.8.0.3-r10\n\nMS-C2966-X12RLVPC: Update to T_45.8.0.3-r10\n\nMS-C5366-X12LPC: Update to T_45.8.0.3-r10\n\nMS-C5366-X12LVPC: Update to T_45.8.0.3-r10\n\nMS-C5361-X12LPC: Update to T_45.8.0.3-r10\n\nMS-Cxx66-xxxxGOPC: Update to 45.8.0.2-AIoT-r5\n\nSC211: Update to C_21.1.0.8-r5\n\nSP111: Update to 52.8.0.4-r6\n\nMS-Cxx66-RFIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx72-RFIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx66-FIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx72-FIPKG1: Update to 63.8.0.5-r2-NX"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMilesight asks all users to report potential security vulnerabilities to security@milesight.com.\u003cbr\u003e\u003ca href=\"mailto:security@milesight.com\"\u003emailto:security@milesight.com\u003c/a\u003e\u003cbr\u003eLearn more: Milesight Vulnerability Reporting Policy\u003cbr\u003e\u003ca href=\"https://www.milesight.com/legal/vulnerability-report\" title=\"(opens in a new window)\"\u003ehttps://www.milesight.com/legal/vulnerability-report\u003c/a\u003e\u003c/p\u003e"
}
],
"value": "Milesight asks all users to report potential security vulnerabilities to security@milesight.com.\n mailto:security@milesight.com \nLearn more: Milesight Vulnerability Reporting Policy\n https://www.milesight.com/legal/vulnerability-report"
}
],
"source": {
"advisory": "ICSA-26-113-03",
"discovery": "EXTERNAL"
},
"title": "Milesight Cameras Authorization Bypass Through User-Controlled Key",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-28747",
"datePublished": "2026-04-27T22:44:52.012Z",
"dateReserved": "2026-03-12T17:51:09.913Z",
"dateUpdated": "2026-04-28T14:35:33.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28781 (GCVE-0-2026-28781)
Vulnerability from cvelistv5 – Published: 2026-03-04 16:31 – Updated: 2026-03-04 17:36
VLAI
EPSS
VEX
Title
Craft Affected by Entries Authorship Spoofing via Mass Assignment
Summary
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/craftcms/cms/security/advisori… | x_refsource_CONFIRM |
| https://github.com/craftcms/cms/commit/830b403870… | x_refsource_MISC |
| https://github.com/craftcms/cms/commit/c6dcbdffaf… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28781",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T17:36:36.759532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T17:36:52.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.9.0-beta.1"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.17.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with \"Create Entries\" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:31:39.357Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"
},
{
"name": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"
},
{
"name": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"
}
],
"source": {
"advisory": "GHSA-2xfc-g69j-x2mp",
"discovery": "UNKNOWN"
},
"title": "Craft Affected by Entries Authorship Spoofing via Mass Assignment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28781",
"datePublished": "2026-03-04T16:31:39.357Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-04T17:36:52.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28782 (GCVE-0-2026-28782)
Vulnerability from cvelistv5 – Published: 2026-03-04 16:36 – Updated: 2026-03-04 17:35
VLAI
EPSS
VEX
Title
Craft has a Permission Bypass and IDOR in Duplicate Entry Action
Summary
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/craftcms/cms/security/advisori… | x_refsource_CONFIRM |
| https://github.com/craftcms/cms/commit/fb61a91357… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28782",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T17:34:53.312489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T17:35:08.922Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.9.0-beta.1"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.17.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users\u0027 entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:36:49.511Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"
},
{
"name": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"
}
],
"source": {
"advisory": "GHSA-jxm3-pmm2-9gf6",
"discovery": "UNKNOWN"
},
"title": "Craft has a Permission Bypass and IDOR in Duplicate Entry Action"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28782",
"datePublished": "2026-03-04T16:36:49.511Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-04T17:35:08.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28788 (GCVE-0-2026-28788)
Vulnerability from cvelistv5 – Published: 2026-03-26 23:38 – Updated: 2026-03-27 20:08
VLAI
EPSS
VEX
Title
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue.
Severity
7.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.8.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28788",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T20:08:10.287390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T20:08:17.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file\u0027s content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T23:38:20.726Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j"
}
],
"source": {
"advisory": "GHSA-jjp7-g2jw-wh3j",
"discovery": "UNKNOWN"
},
"title": "Open WebUI\u0027s process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28788",
"datePublished": "2026-03-26T23:38:20.726Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-27T20:08:17.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.