Skip to main content

macrozheng mall EUVD-2026-33356

| CVE-2026-10070 MEDIUM
Improper Authorization (CWE-285)
2026-05-29 VulDB GHSA-cv9f-r9m5-v3ww
Authentication Bypass Mall
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 29, 2026 - 18:22 NVD
4.7 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
May 29, 2026 - 17:56 vuln.today

DescriptionCVE.org

A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.

AnalysisAI

Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged authenticated attacker to perform unauthorized operations via the /admin/update/ Super Admin Password Handler endpoint. The intelligence tags this as an authentication bypass, suggesting a higher-privileged admin role boundary can be crossed - potentially allowing one admin to manipulate super admin credentials beyond their authorized scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid admin-level credentials via phishing or credential theft
Delivery
Authenticate to mall admin backend panel
Exploit
Craft malicious request targeting /admin/update/ endpoint
Execution
Bypass super admin authorization check
Persist
Overwrite super admin password with attacker-controlled value
Impact
Authenticate as super admin for full platform control
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with high-level admin credentials (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.7 (Medium) score is driven by a vector of AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L, meaning exploitation requires high-level privileges (PR:H), reducing the realistic attacker pool to those who already hold admin credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or legitimately holds a standard admin-level account in the mall backend sends a crafted HTTP request to the /admin/update/ Super Admin Password Handler endpoint, exploiting the absent or bypassable authorization check to modify the super admin's password. With the super admin credential reset, the attacker gains full administrative control over the e-commerce platform, including access to customer data, order management, and further system configuration.
Remediation No vendor-released patch has been identified at time of analysis - the vendor deleted the GitHub issue without explanation and did not respond to responsible disclosure contact. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33356 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy