EUVD-2026-12216
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
CVE-2026-4171 is an authorization bypass vulnerability in CodeGenieApp serverless-express affecting versions up to 4.17.1, where manipulation of the userId parameter in the API Endpoint component allows authenticated attackers to access or modify resources belonging to other users. A public proof-of-concept exploit exists, the vendor has not responded to early disclosure, and the vulnerability carries a CVSS score of 6.3 with exploitation rated as Probable (EPSS indicator); while not currently in CISA KEV, the combination of public POC availability and low attack complexity represents moderate real-world risk.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running CodeGenieApp serverless-express and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today