Skip to main content

N A EUVDEUVD-2026-17094

| CVE-2026-29597 MEDIUM
Improper Access Control (CWE-284)
2026-03-30 mitre GHSA-84pc-6j7w-65xg
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 16:00 euvd
EUVD-2026-17094
Analysis Generated
Mar 30, 2026 - 16:00 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

Incorrect access control in the file_details.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allows attackers with editor privileges to access sensitive files via crafted requests.

AnalysisAI

Incorrect access control in the file_details.asp endpoint of DDSN Interactive Acora CMS version 10.7.1 permits authenticated users with editor privileges to access sensitive files through crafted requests, resulting in information disclosure. This vulnerability requires valid editor-level credentials and direct knowledge of the vulnerable endpoint, limiting but not eliminating real-world risk. No active exploitation or public proof-of-concept code has been independently confirmed at this time.

Technical ContextAI

The vulnerability exists in the file_details.asp server-side script endpoint, which appears to be part of the Acora CMS administrative interface. The root cause is an access control flaw (CWE category information disclosure via improper authorization) where the application fails to properly validate user permissions before returning sensitive file contents. The ASP (Active Server Pages) technology indicates this is a legacy or Windows-based CMS platform. The affected component processes file retrieval requests but does not enforce adequate privilege boundaries between different user roles, allowing editor-level users to bypass intended access restrictions on sensitive resources.

RemediationAI

Upgrade DDSN Interactive Acora CMS from version 10.7.1 to the next available patched release. No specific patch version number is documented in the provided references. In the interim, apply the following mitigating controls: (1) restrict editor role assignment to trusted administrators only; (2) implement network-level access controls to limit direct access to the /file_details.asp endpoint; (3) monitor access logs for suspicious requests to sensitive file paths; (4) review and validate user role assignments within the CMS. Consult the DDSN vendor advisory at http://ddsn.com and Acora documentation at http://acora.com for specific patch availability and upgrade instructions.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

EUVD-2026-17094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy