Skip to main content

Musetheque V4 IPKNOWLEDGE CVE-2026-28761

| EUVDEUVD-2026-30505 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-15 jpcert GHSA-626v-69jf-vxq8
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 06:30 vuln.today
CVSS changed
May 15, 2026 - 06:22 NVD
8.1 (HIGH) 8.5 (HIGH)
CVE Published
May 15, 2026 - 05:38 nvd
HIGH 8.5

DescriptionCVE.org

Cross-site request forgery vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a user views a malicious page while logged-in to the affected product, unexpected operations may be done.

AnalysisAI

Cross-site request forgery in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier enables remote attackers to execute unauthorized operations through victim's authenticated session via malicious web pages. Successful exploitation achieves high confidentiality and integrity impact without requiring attacker authentication. Reported by JPCERT to JVN, indicating likely targeting of Japanese enterprise deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

Technical ContextAI

Fujitsu Musetheque V4 IPKNOWLEDGE is an enterprise information disclosure system. This vulnerability stems from CWE-352 (Cross-Site Request Forgery) - a failure to validate that state-changing requests originate from the legitimate application rather than attacker-controlled pages. CSRF attacks exploit the browser's automatic inclusion of authentication cookies with requests, allowing attackers to piggyback on a victim's authenticated session. The CVSS 4.0 vector confirms network-based attack (AV:N) with low complexity (AC:L) but requires user interaction (UI:A), typical of CSRF where the victim must visit a malicious page while authenticated. The high confidentiality and integrity impact (VC:H/VI:H) with no availability impact (VA:N) and no scope change (SC:N/SI:N/SA:N) indicates attackers can read sensitive information and modify data within the application's privilege boundary without causing system-wide disruption.

RemediationAI

Upgrade Musetheque V4 Information Disclosure for IPKNOWLEDGE to version later than V4L1 rev2203.0 per Fujitsu guidance in JVN advisory https://jvn.jp/en/jp/JVN69128376/ - exact patched revision number not specified in available data, consult Fujitsu support for current secure release. If immediate patching not feasible, implement anti-CSRF token validation on all state-changing operations as architectural control, though this requires application code modification and may not be deployable without vendor cooperation. Configure web application firewall rules to enforce HTTP Referer header validation, blocking requests originating from external domains, though this breaks legitimate cross-origin workflows and can be bypassed via Referer stripping. Deploy SameSite=Strict cookie attribute for session cookies to prevent browser from sending credentials with cross-site requests, though this may disrupt legitimate integrations requiring cross-site authentication and requires cookie configuration changes. Educate authenticated users to avoid clicking untrusted links while logged into Musetheque V4 and to log out when not actively using the system, reducing attack window but relying on human behavior compliance. All workarounds provide partial risk reduction only - vendor patch remains definitive remediation.

Share

CVE-2026-28761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy