Skip to main content

Smart Parking System CVE-2026-10243

| EUVDEUVD-2026-33608 MEDIUM
Improper Authentication (CWE-287)
2026-06-01 cna@vuldb.com GHSA-p963-jch7-x2f5
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:34 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in code-projects Smart Parking System 1.0. Affected is an unknown function of the component Admin Endpoint. Such manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected.

AnalysisAI

Remote unauthenticated access to multiple Admin Endpoints in code-projects Smart Parking System 1.0 allows attackers to bypass all authentication controls, gaining network-reachable read, write, and availability impact with no credentials or user interaction required. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation of a missing authentication gate - not a weak or bypassable one, but an entirely absent one across multiple admin functions. Publicly available exploit code exists per the E:P exploit maturity modifier and a referenced GitHub proof-of-concept repository, though no CISA KEV listing is present at time of analysis.

Technical ContextAI

Smart Parking System 1.0 is a PHP-based web application published by code-projects (https://code-projects.org/) for managing parking operations, including user administration and record management. The root cause is CWE-287 (Improper Authentication): the Admin Endpoint component processes requests without validating caller identity, meaning no session token, credential check, or access control gate is enforced on the affected routes. The CVSS 4.0 vector fields AT:N (no attack prerequisites) and PR:N (no privileges required) confirm that the flaw exists in default configurations without any special setup or existing account. Multiple admin endpoints are stated to be affected, broadening the exploitable surface area beyond a single function. No CPE string was provided in the source data, so exact endpoint paths must be inferred from the referenced proof-of-concept repository at https://github.com/Xmyronn/smart-parking-system-broken-access.git.

RemediationAI

No vendor-released patch has been identified at time of analysis for Smart Parking System 1.0; the source data contains no patch version, fix commit, or vendor advisory URL beyond the product homepage at https://code-projects.org/, which should be monitored for updates. As an immediate compensating control, restrict all admin-prefixed routes at the web server or perimeter firewall to trusted IP ranges only, eliminating the AV:N attack vector at the cost of remote admin convenience. As a secondary interim measure, add HTTP Basic Authentication at the web server layer (e.g., Apache .htaccess RequireValid-User or nginx auth_basic directives) in front of the admin directory - this imposes a credential gate without modifying application code, though it adds operational overhead and does not address the root CWE-287 flaw in the application itself. If the application is not actively serving production traffic, taking it offline entirely is the most effective risk reduction. Monitor VulDB entry https://vuldb.com/vuln/367521 and the vendor site for patch availability.

Share

CVE-2026-10243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy