EUVD-2026-33356
GHSA-cv9f-r9m5-v3ww
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
AnalysisAI
Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged authenticated attacker to perform unauthorized operations via the /admin/update/ Super Admin Password Handler endpoint. The intelligence tags this as an authentication bypass, suggesting a higher-privileged admin role boundary can be crossed - potentially allowing one admin to manipulate super admin credentials beyond their authorized scope. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with high-level admin credentials (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.7 (Medium) score is driven by a vector of AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L, meaning exploitation requires high-level privileges (PR:H), reducing the realistic attacker pool to those who already hold admin credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or legitimately holds a standard admin-level account in the mall backend sends a crafted HTTP request to the /admin/update/ Super Admin Password Handler endpoint, exploiting the absent or bypassable authorization check to modify the super admin's password. With the super admin credential reset, the attacker gains full administrative control over the e-commerce platform, including access to customer data, order management, and further system configuration. |
| Remediation | No vendor-released patch has been identified at time of analysis - the vendor deleted the GitHub issue without explanation and did not respond to responsible disclosure contact. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today