Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated access with low CIA impact and no scope change, directly mapping the CVSS 4.0 source vector to 3.1 equivalents.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carried out remotely. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no special conditions beyond network reachability of the application. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N reflects a network-exploitable missing authentication flaw with no prerequisite complexity or privileges, but with a low impact ceiling across all three CIA dimensions and no scope change to subsequent systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker scans for internet-exposed TOKO-ONLINE-ROTI instances and identifies an endpoint that processes requests without validating a session or token. The attacker sends a direct HTTP request to that endpoint, gaining access to order records, product data, or administrative functions, achieving low-level read and write impact. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the vendor did not respond to the disclosure submitted to VulDB (https://vuldb.com/cve/CVE-2026-15491), and no patched commit or tagged release has been confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Toko Online Roti
View allSQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthen
Authorization bypass in RafyMrX TOKO-ONLINE-ROTI allows a low-privileged remote attacker to manipulate the `kd_cs` param
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43213
GHSA-2w28-663r-qhcr