Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Pet Shop: from n/a through <= 1.4.7.
AnalysisAI
VW Pet Shop through version 1.4.7 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this to alter information within the application without requiring authentication or user interaction. Currently, no patch is available for this vulnerability.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the VW Pet Shop application fails to properly validate that users have explicit permission to perform sensitive operations. The affected product is vowelweb VW Pet Shop (CPE identifier: cpe:2.3:a:vowelweb:vw_pet_shop), an e-commerce or pet management platform. The root cause appears to be inadequately configured security levels in authorization logic, likely affecting administrative or state-modifying endpoints. Rather than a protocol or cryptographic weakness, this is an application-layer authorization bypass where request validation mechanisms either don't exist or are circumvented by directly accessing protected resources without proper role-based or attribute-based access control checks.
RemediationAI
Immediately upgrade vowelweb VW Pet Shop to a version beyond 1.4.7 once a patched release is available from the vendor. Until patching is complete, implement network-level access controls to restrict access to VW Pet Shop to trusted internal networks or known IP ranges, and deploy a Web Application Firewall (WAF) with rules to block unauthorized access to sensitive endpoints identified in your application audit. Additionally, review and enforce strict role-based access control (RBAC) or attribute-based access control (ABAC) policies within the application configuration, and consider temporarily disabling or rate-limiting sensitive administrative endpoints if they are not actively required. Monitor application logs for unauthorized modification attempts and audit all recent changes to critical data to identify if the vulnerability was previously exploited.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11973