EUVD-2026-14337
GHSA-jqqr-rw2r-w5cx
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
AnalysisAI
MacCMS version 2025.1000.4052 contains a missing authentication vulnerability in the Timming API endpoint (application/api/controller/Timming.php). An unauthenticated remote attacker can access protected functionality, potentially leading to unauthorized data access, modification, or service disruption. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions — remote unauthenticated exploitation against MacCMS version 2025.1000.4052. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents significant real-world risk based on multiple indicators. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a MacCMS installation through reconnaissance scanning and directly accesses the vulnerable Timming API endpoint at application/api/controller/Timming.php without providing any authentication credentials. Using the publicly available proof-of-concept exploit from GitHub, the attacker manipulates API parameters to read sensitive configuration data, modify scheduled tasks or timing configurations, or inject malicious commands that execute with the application's privileges. … |
| Remediation | Organizations running MacCMS 2025.1000.4052 should immediately investigate patch availability from the MacCMS vendor, though the CVSS Remediation Level flag (RL:X) indicates no official patch information is currently available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running MacCMS 2025.1000.4052 and assess their exposure; implement network-level access controls to restrict Timming API endpoint access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today