Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Network-reachable authorization bypass requires an existing low-privilege account (PR:L), no user interaction or special complexity, yielding high confidentiality, low integrity, and no availability impact.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
AnalysisAI
Improper access control in MIA Technology Inc. Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote attackers to bypass authorization checks and access resources or actions outside their permission level. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must (1) hold valid credentials for at least a low-privilege account on the application using Pizzy Library (PR:L), (2) have network reachability to the library's exposed interface (AV:N), and (3) interact with the specific feature governed by the 'incorrectly configured access control security levels' described by the vendor - i.e., an operation whose authorization decision depends on the misconfigured security-level check. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) describes a network-reachable, low-complexity flaw that requires low-privilege authentication and no user interaction, with high confidentiality impact, low integrity impact, and no availability impact - consistent with an authorization bypass that primarily exposes data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any low-privilege account on an application embedding Pizzy Library authenticates normally and then issues a request to a resource or action whose authorization is governed by the misconfigured security level. Because the library does not properly enforce the intended tier separation, the request returns sensitive data belonging to higher-privileged users or tenants, yielding the high-confidentiality and low-integrity outcomes reflected in the CVSS vector. … |
| Remediation | Upstream fix available; the version range 'before 1.3.9.26250' indicates that 1.3.9.26250 is the first non-vulnerable release, so administrators should upgrade Pizzy Library to 1.3.9.26250 or later as obtained from MIA Technology Inc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Create inventory of all systems and applications using Pizzy Library versions 1.0.0.26250-1.3.9.26250 across production and development environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Pizzy Library
View allCSV formula injection in MIA Technology's Pizzy Library (versions 1.0.0.26250 through 1.3.9.26250) allows authenticated
Resource flooding in MIA Technology Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote a
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36717
GHSA-q45q-8hg9-fpfw