CVE-2026-2860 (GCVE-0-2026-2860)
Vulnerability from cvelistv5 – Published: 2026-02-21 04:32 – Updated: 2026-02-24 15:37
VLAI?
Title
feng_ha_ha/megagao ssm-erp/production_ssm EmployeeController.java improper authorization
Summary
A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Severity ?
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347100 | vdb-entry |
| https://vuldb.com/?ctiid.347100 | signaturepermissions-required |
| https://vuldb.com/?submit.754494 | third-party-advisory |
| https://github.com/megagao/production_ssm/issues/36 | issue-tracking |
| https://github.com/megagao/production_ssm/issues/… | exploitissue-tracking |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| feng_ha_ha | ssm-erp |
Affected:
4288d53bd35757b27f2d070057aefb2c07bdd097
|
|
| feng_ha_ha | production_ssm |
Affected:
4288d53bd35757b27f2d070057aefb2c07bdd097
|
|
| megagao | ssm-erp |
Affected:
4288d53bd35757b27f2d070057aefb2c07bdd097
|
|
| megagao | production_ssm |
Affected:
4288d53bd35757b27f2d070057aefb2c07bdd097
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2860",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T15:36:51.853178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T15:37:22.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ssm-erp",
"vendor": "feng_ha_ha",
"versions": [
{
"status": "affected",
"version": "4288d53bd35757b27f2d070057aefb2c07bdd097"
}
]
},
{
"product": "production_ssm",
"vendor": "feng_ha_ha",
"versions": [
{
"status": "affected",
"version": "4288d53bd35757b27f2d070057aefb2c07bdd097"
}
]
},
{
"product": "ssm-erp",
"vendor": "megagao",
"versions": [
{
"status": "affected",
"version": "4288d53bd35757b27f2d070057aefb2c07bdd097"
}
]
},
{
"product": "production_ssm",
"vendor": "megagao",
"versions": [
{
"status": "affected",
"version": "4288d53bd35757b27f2d070057aefb2c07bdd097"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jszdk (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T04:32:06.851Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347100 | feng_ha_ha/megagao ssm-erp/production_ssm EmployeeController.java improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.347100"
},
{
"name": "VDB-347100 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347100"
},
{
"name": "Submit #754494 | https://github.com/megagao/production_ssm production_ssm v1.0 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.754494"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/megagao/production_ssm/issues/36"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/megagao/production_ssm/issues/36#issue-3914626431"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-20T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-20T15:18:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "feng_ha_ha/megagao ssm-erp/production_ssm EmployeeController.java improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2860",
"datePublished": "2026-02-21T04:32:06.851Z",
"dateReserved": "2026-02-20T13:56:17.368Z",
"dateUpdated": "2026-02-24T15:37:22.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-2860",
"date": "2026-05-21",
"epss": "0.00018",
"percentile": "0.04751"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-2860\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2026-02-21T05:17:30.210\",\"lastModified\":\"2026-04-29T01:00:01.613\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de seguridad ha sido detectada en feng_ha_ha/megagao ssm-erp y production_ssm hasta 4288d53bd35757b27f2d070057aefb2c07bdd097. Afectada es una funci\u00f3n desconocida del archivo EmployeeController.java. La manipulaci\u00f3n conduce a una autorizaci\u00f3n indebida. Es posible iniciar el ataque remotamente. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. Este producto est\u00e1 utilizando una versi\u00f3n continua para proporcionar entrega continua. Por lo tanto, no hay detalles de versi\u00f3n disponibles para las versiones afectadas ni actualizadas. Este producto se distribuye bajo dos nombres completamente diferentes. El proyecto fue informado del problema tempranamente a trav\u00e9s de un informe de problema pero a\u00fan no ha respondido.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-266\"},{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"references\":[{\"url\":\"https://github.com/megagao/production_ssm/issues/36\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/megagao/production_ssm/issues/36#issue-3914626431\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.347100\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.347100\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.754494\",\"source\":\"cna@vuldb.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2860\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-24T15:36:51.853178Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-24T15:37:15.811Z\"}}], \"cna\": {\"title\": \"feng_ha_ha/megagao ssm-erp/production_ssm EmployeeController.java improper authorization\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Jszdk (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 6.5, \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR\"}}], \"affected\": [{\"vendor\": \"feng_ha_ha\", \"product\": \"ssm-erp\", \"versions\": [{\"status\": \"affected\", \"version\": \"4288d53bd35757b27f2d070057aefb2c07bdd097\"}]}, {\"vendor\": \"feng_ha_ha\", \"product\": \"production_ssm\", \"versions\": [{\"status\": \"affected\", \"version\": \"4288d53bd35757b27f2d070057aefb2c07bdd097\"}]}, {\"vendor\": \"megagao\", \"product\": \"ssm-erp\", \"versions\": [{\"status\": \"affected\", \"version\": \"4288d53bd35757b27f2d070057aefb2c07bdd097\"}]}, {\"vendor\": \"megagao\", \"product\": \"production_ssm\", \"versions\": [{\"status\": \"affected\", \"version\": \"4288d53bd35757b27f2d070057aefb2c07bdd097\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-20T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2026-02-20T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2026-02-20T15:18:35.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.347100\", \"name\": \"VDB-347100 | feng_ha_ha/megagao ssm-erp/production_ssm EmployeeController.java improper authorization\", \"tags\": [\"vdb-entry\"]}, {\"url\": \"https://vuldb.com/?ctiid.347100\", \"name\": \"VDB-347100 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.754494\", \"name\": \"Submit #754494 | https://github.com/megagao/production_ssm production_ssm v1.0 Improper Access Controls\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/megagao/production_ssm/issues/36\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/megagao/production_ssm/issues/36#issue-3914626431\", \"tags\": [\"exploit\", \"issue-tracking\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"Improper Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-266\", \"description\": \"Incorrect Privilege Assignment\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2026-02-21T04:32:06.851Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-2860\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-24T15:37:22.550Z\", \"dateReserved\": \"2026-02-20T13:56:17.368Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2026-02-21T04:32:06.851Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…