Skip to main content

Isp Billing Software EUVDEUVD-2026-16973

| CVE-2026-5031 LOW
Improper Control of Resource Identifiers ('Resource Injection') (CWE-99)
2026-03-29 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Mar 30, 2026 - 13:26 vuln.today
Public exploit code
EUVD ID Assigned
Mar 29, 2026 - 05:15 euvd
EUVD-2026-16973
Analysis Generated
Mar 29, 2026 - 05:15 vuln.today
CVE Published
Mar 29, 2026 - 04:30 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

BichitroGan ISP Billing Software 2025.3.20 contains an improper resource identifier control vulnerability in the settings/users-view endpoint that allows authenticated remote attackers to disclose sensitive information via manipulation of the ID parameter. The vulnerability has a CVSS score of 4.3 with publicly available exploit code; the vendor has not responded to disclosure attempts.

Technical ContextAI

The vulnerability stems from CWE-99 (Improper Control of Resource Identifiers), a class of flaws where an application fails to properly validate or restrict access to resources based on user-supplied identifiers. In this case, the settings/users-view endpoint in BichitroGan ISP Billing Software accepts an ID parameter without adequate authorization checks, allowing an authenticated user to access or enumerate user information they should not have access to. The affected product is BichitroGan ISP Billing Software (CPE: cpe:2.3:a:bichitrogan:isp_billing_software), and the issue manifests in the web-facing component handling user management views, which typically requires knowledge of valid user identifiers to exploit but does not verify that the requestor has legitimate access to that specific user record.

RemediationAI

Contact BichitroGan for a patched version of ISP Billing Software addressing CWE-99 resource identifier validation. Until a vendor patch is available, implement access controls to restrict the settings/users-view endpoint to authorized administrators only, and review access logs for suspicious ID parameter manipulation attempts. Upgrade to the latest available version once released by the vendor. If the vendor remains unresponsive, consider implementing a web application firewall rule to block requests to /?_route=settings/users-view/ with suspicious or out-of-range ID parameters. Additional details and the public exploit are documented at https://github.com/4m3rr0r/PoCVulDb/issues/15 and https://vuldb.com/vuln/353953.

Share

EUVD-2026-16973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy