Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-9409

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-25 May, 2026 | 00:15
Updated At-26 May, 2026 | 14:38
Rejected At-
Credits

Sushmi-pal Invoice-System User Management user improper authorization

A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–ĽCommon Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:25 May, 2026 | 00:15
Updated At:26 May, 2026 | 14:38
Rejected At:
â–ĽCVE Numbering Authority (CNA)
Sushmi-pal Invoice-System User Management user improper authorization

A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Products
Vendor
Sushmi-pal
Product
Invoice-System
CPEs
  • cpe:2.3:a:sushmi-pal:invoice-system:*:*:*:*:*:*:*:*
Modules
  • User Management Handler
Versions
Affected
  • a0a3faa16dee2621b231ae227333f5761607283b
Problem Types
TypeCWE IDDescription
CWECWE-285Improper Authorization
CWECWE-266Incorrect Privilege Assignment
Type: CWE
CWE ID: CWE-285
Description: Improper Authorization
Type: CWE
CWE ID: CWE-266
Description: Incorrect Privilege Assignment
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3.04.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
2.04.0N/A
AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Version: 3.0
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Version: 2.0
Base score: 4.0
Base severity: N/A
Vector:
AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
c4ttr4ck (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-05-24 00:00:00
VulDB entry created2026-05-24 02:00:00
VulDB entry last update2026-05-24 08:38:13
Event: Advisory disclosed
Date: 2026-05-24 00:00:00
Event: VulDB entry created
Date: 2026-05-24 02:00:00
Event: VulDB entry last update
Date: 2026-05-24 08:38:13
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/vuln/365390
vdb-entry
technical-description
https://vuldb.com/vuln/365390/cti
signature
permissions-required
https://vuldb.com/submit/813605
third-party-advisory
https://gist.github.com/c4ttr4ck/c891dd0fa550e910a1724cbd96d93a80
exploit
Hyperlink: https://vuldb.com/vuln/365390
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/365390/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/submit/813605
Resource:
third-party-advisory
Hyperlink: https://gist.github.com/c4ttr4ck/c891dd0fa550e910a1724cbd96d93a80
Resource:
exploit
â–ĽAuthorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–ĽNational Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:25 May, 2026 | 02:16
Updated At:25 May, 2026 | 02:16

A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.1LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Secondary2.04.0MEDIUM
AV:N/AC:L/Au:S/C:N/I:P/A:N
Type: Secondary
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 2.0
Base score: 4.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:N/I:P/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-266Primarycna@vuldb.com
CWE-285Primarycna@vuldb.com
CWE ID: CWE-266
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-285
Type: Primary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gist.github.com/c4ttr4ck/c891dd0fa550e910a1724cbd96d93a80cna@vuldb.com
N/A
https://vuldb.com/submit/813605cna@vuldb.com
N/A
https://vuldb.com/vuln/365390cna@vuldb.com
N/A
https://vuldb.com/vuln/365390/cticna@vuldb.com
N/A
Hyperlink: https://gist.github.com/c4ttr4ck/c891dd0fa550e910a1724cbd96d93a80
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/813605
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/365390
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/365390/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

109Records found
CVE-2020-26183
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-6.8||MEDIUM
EPSS-0.12% / 31.18%
||
7 Day CHG~0.00%
Published-16 Oct, 2020 | 18:10
Updated-16 Sep, 2024 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC NetWorker versions prior to 19.3.0.2 contain an improper authorization vulnerability. Certain remote users with low privileges may exploit this vulnerability to perform 'nsrmmdbd' operations in an unintended manner.

Action-Not Available
Vendor-Dell Inc.
Product-emc_networkerNetWorker
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2020-26182
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-6.8||MEDIUM
EPSS-0.13% / 31.65%
||
7 Day CHG~0.00%
Published-16 Oct, 2020 | 18:10
Updated-16 Sep, 2024 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC NetWorker versions prior to 19.3.0.2 contain an incorrect privilege assignment vulnerability. A non-LDAP remote user with low privileges may exploit this vulnerability to perform 'saveset' related operations in an unintended manner. The vulnerability is not exploitable by users authenticated via LDAP.

Action-Not Available
Vendor-Dell Inc.
Product-emc_networkerNetWorker
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2021-22861
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
ShareView Details
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 55.47%
||
7 Day CHG~0.00%
Published-03 Mar, 2021 | 03:25
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper access control in GitHub Enterprise Server leading to unauthorized write access to forkable repositories

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted repository, a setting that is disabled by default for organization owned private repositories. Branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability affected all versions of GitHub Enterprise Server since 2.4.21 and was fixed in versions 2.20.24, 2.21.15, 2.22.7 and 3.0.1. This vulnerability was reported via the GitHub Bug Bounty program.

Action-Not Available
Vendor-GitHub, Inc.
Product-githubGitHub Enterprise Server
CWE ID-CWE-285
Improper Authorization
CVE-2020-24403
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-2.7||LOW
EPSS-0.19% / 40.59%
||
7 Day CHG~0.00%
Published-09 Nov, 2020 | 00:39
Updated-16 Sep, 2024 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect permissions could lead to unauthorized modification of inventory source data via REST API

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento Commerce
CWE ID-CWE-285
Improper Authorization
CVE-2020-24405
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 24.66%
||
7 Day CHG~0.00%
Published-09 Nov, 2020 | 00:39
Updated-16 Sep, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect permissions in Inventory module could lead to unauthorized modification of inventory stock data

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento Commerce
CWE ID-CWE-285
Improper Authorization
CVE-2021-41308
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 34.47%
||
7 Day CHG~0.00%
Published-26 Oct, 2021 | 04:15
Updated-09 Oct, 2024 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira ServerJira Data Center
CWE ID-CWE-285
Improper Authorization
CVE-2025-62401
Matching Score-4
Assigner-Fedora Project
ShareView Details
Matching Score-4
Assigner-Fedora Project
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 13.47%
||
7 Day CHG-0.00%
Published-23 Oct, 2025 | 11:29
Updated-14 Nov, 2025 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Moodle: possible to bypass timer in timed assignments

An issue in Moodle’s timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.

Action-Not Available
Vendor-Moodle Pty Ltd
Product-moodle
CWE ID-CWE-285
Improper Authorization
CVE-2021-41313
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.47%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 03:05
Updated-08 Oct, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20.7.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_data_centerJira ServerJira Data Center
CWE ID-CWE-285
Improper Authorization
CVE-2025-48348
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.11%
||
7 Day CHG~0.00%
Published-28 Aug, 2025 | 12:37
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Site Offline plugin <= 1.5.7 - Broken Access Control vulnerability

Incorrect Privilege Assignment vulnerability in chandrashekharsahu Site Offline site-offline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Site Offline: from n/a through <= 1.5.7.

Action-Not Available
Vendor-chandrashekharsahu
Product-Site Offline
CWE ID-CWE-266
Incorrect Privilege Assignment
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found