Skip to main content

macrozheng mall CVE-2026-15186

| EUVDEUVD-2026-42585 LOW
Improper Control of Resource Identifiers ('Resource Injection') (CWE-99)
2026-07-09 VulDB GHSA-3gfq-rr85-4p5x
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible IDOR requiring authenticated session (PR:L); low confidentiality and integrity impact on order records; no availability or scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jul 09, 2026 - 14:22 NVD
MEDIUM LOW
CVSS changed
Jul 09, 2026 - 14:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 09, 2026 - 13:55 vuln.today

DescriptionCVE.org

A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor deleted the GitHub issue for this vulnerability without any explanation.

AnalysisAI

Resource identifier manipulation in macrozheng mall up to 1.0.3 allows authenticated remote attackers to access or affect return-application records belonging to other users by substituting arbitrary orderId values in POST requests to /returnApply/create. The flaw is classified as CWE-99 (Improper Control of Resource Identifiers), consistent with an Insecure Direct Object Reference (IDOR) pattern in the Portal Endpoint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid portal account
Delivery
Authenticate and obtain session token
Exploit
Enumerate or guess victim orderId values
Execution
Submit crafted POST to /returnApply/create with foreign orderId
Persist
Server processes request without ownership check
Impact
Access or manipulate victim order return data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session on the mall portal (PR:L per CVSS 4.0) - unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) reflects a realistic assessment: network-accessible (AV:N), low complexity (AC:L), low privilege required (PR:L), no user interaction (UI:N), with low impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated mall portal user with a valid session submits a POST request to /returnApply/create, replacing the orderId in the request body with the order identifier of another customer. Because the server does not verify orderId ownership, the return application is created or queried against the victim's order, potentially exposing order details (information disclosure) or submitting fraudulent return requests on the victim's behalf (integrity impact). …
Remediation No vendor-released patch has been identified at time of analysis - the GitHub issue was removed without a fix reference. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Mall

View all
CVE-2026-25858 CRITICAL
9.3 Feb 07

macrozheng mall e-commerce platform v1.0.3 has an authentication vulnerability in password reset enabling unauthorized a

CVE-2025-4119 MEDIUM
6.9 Apr 30

A vulnerability classified as critical was found in Weitong Mall 1.0.0. Rated medium severity (CVSS 6.9), this vulnerabi

CVE-2025-4118 MEDIUM
6.9 Apr 30

A vulnerability classified as critical has been found in Weitong Mall 1.0.0. Rated medium severity (CVSS 6.9), this vuln

CVE-2025-15118 LOW POC
2.1 Dec 28

Improper authorization in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to modify member add

CVE-2025-8191 LOW POC
2.0 Jul 26

Cross-site scripting (XSS) in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to inject malici

CVE-2026-10070 MEDIUM
5.1 May 29

Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged auth

CVE-2024-11619 LOW
2.3 Nov 22

A vulnerability, which was classified as problematic, has been found in macrozheng mall up to 1.0.3. Rated low severity

CVE-2025-9514 MEDIUM
6.3 Aug 27

A vulnerability has been found in macrozheng mall up to 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2025-8755 MEDIUM POC
5.5 Aug 09

A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic.java of the component com.macro.m

CVE-2025-8742 MEDIUM POC
6.3 Aug 08

A vulnerability was found in macrozheng mall 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exp

Share

CVE-2026-15186 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy