EUVD-2026-34058
GHSA-f493-gq25-5c5x
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected.
AnalysisAI
Improper authorization across multiple administrative endpoints in SourceCodester Online Boat Reservation System 1.0 allows remote authenticated attackers with low-privilege accounts to bypass access controls and interact with admin-only functionality. The vulnerability, classified as broken access control (CWE-285), enables unauthorized reads, writes, and limited availability impact on restricted resources. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector PR:L confirms that exploitation requires a valid low-privilege authenticated session - the attacker must possess or obtain a regular user account on the target application. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.3 (Medium) reflects a balanced but real risk: network-reachable (AV:N), low attack complexity (AC:L), low privilege required (PR:L), no user interaction (UI:N), with limited confidentiality, integrity, and availability impact (C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privilege user account on a publicly accessible deployment of the Online Boat Reservation System 1.0, then directly navigates to administrative endpoints (such as admin panel routes) without modifying session tokens or performing privilege escalation - the server processes the requests without enforcing role checks. Using the publicly available PoC as a guide, the attacker reads sensitive reservation data, modifies or deletes records, or alters system configuration, achieving limited but meaningful impact across confidentiality, integrity, and availability dimensions. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the CPE wildcard and absence of a fixed-version advisory indicate SourceCodester has not published a corrective release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today