Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in code-projects Smart Parking System 1.0. Affected is an unknown function of the component Admin Endpoint. Such manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected.
AnalysisAI
Remote unauthenticated access to multiple Admin Endpoints in code-projects Smart Parking System 1.0 allows attackers to bypass all authentication controls, gaining network-reachable read, write, and availability impact with no credentials or user interaction required. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation of a missing authentication gate - not a weak or bypassable one, but an entirely absent one across multiple admin functions. Publicly available exploit code exists per the E:P exploit maturity modifier and a referenced GitHub proof-of-concept repository, though no CISA KEV listing is present at time of analysis.
Technical ContextAI
Smart Parking System 1.0 is a PHP-based web application published by code-projects (https://code-projects.org/) for managing parking operations, including user administration and record management. The root cause is CWE-287 (Improper Authentication): the Admin Endpoint component processes requests without validating caller identity, meaning no session token, credential check, or access control gate is enforced on the affected routes. The CVSS 4.0 vector fields AT:N (no attack prerequisites) and PR:N (no privileges required) confirm that the flaw exists in default configurations without any special setup or existing account. Multiple admin endpoints are stated to be affected, broadening the exploitable surface area beyond a single function. No CPE string was provided in the source data, so exact endpoint paths must be inferred from the referenced proof-of-concept repository at https://github.com/Xmyronn/smart-parking-system-broken-access.git.
RemediationAI
No vendor-released patch has been identified at time of analysis for Smart Parking System 1.0; the source data contains no patch version, fix commit, or vendor advisory URL beyond the product homepage at https://code-projects.org/, which should be monitored for updates. As an immediate compensating control, restrict all admin-prefixed routes at the web server or perimeter firewall to trusted IP ranges only, eliminating the AV:N attack vector at the cost of remote admin convenience. As a secondary interim measure, add HTTP Basic Authentication at the web server layer (e.g., Apache .htaccess RequireValid-User or nginx auth_basic directives) in front of the admin directory - this imposes a credential gate without modifying application code, though it adds operational overhead and does not address the root CWE-287 flaw in the application itself. If the application is not actively serving production traffic, taking it offline entirely is the most effective risk reduction. Monitor VulDB entry https://vuldb.com/vuln/367521 and the vendor site for patch availability.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33608
GHSA-p963-jch7-x2f5