Skip to main content

TOKO-ONLINE-ROTI CVE-2026-15491

| EUVDEUVD-2026-43213 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-07-12 VulDB GHSA-2w28-663r-qhcr
6.9
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Network-accessible unauthenticated access with low CIA impact and no scope change, directly mapping the CVSS 4.0 source vector to 3.1 equivalents.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 10:16 vuln.today

DescriptionCVE.org

A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carried out remotely. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover internet-exposed TOKO-ONLINE-ROTI instance
Delivery
Identify unauthenticated application endpoint
Exploit
Send unauthenticated HTTP request
Execution
Access restricted application functionality
Impact
Read or modify application data

Vulnerability AssessmentAI

Exploitation The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no special conditions beyond network reachability of the application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N reflects a network-exploitable missing authentication flaw with no prerequisite complexity or privileges, but with a low impact ceiling across all three CIA dimensions and no scope change to subsequent systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scans for internet-exposed TOKO-ONLINE-ROTI instances and identifies an endpoint that processes requests without validating a session or token. The attacker sends a direct HTTP request to that endpoint, gaining access to order records, product data, or administrative functions, achieving low-level read and write impact. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor did not respond to the disclosure submitted to VulDB (https://vuldb.com/cve/CVE-2026-15491), and no patched commit or tagged release has been confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy