Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address.
AnalysisAI
Insecure Direct Object Reference in ITPison's OMICARD EDM (an email marketing platform) enables unauthenticated remote attackers to manipulate a specific request parameter to retrieve arbitrary users' email addresses without authorization. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms fully remote, zero-authentication exploitation requiring no user interaction, though impact is bounded to low-level confidentiality loss with no integrity or availability consequence. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Technical ContextAI
OMICARD EDM is an email marketing and direct mail campaign management platform developed by ITPison, a Taiwanese software vendor. The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key), a specific variant of Insecure Direct Object Reference where the application exposes internal data object identifiers - likely sequential user record IDs or account keys - directly in HTTP requests without enforcing server-side ownership or access control verification. An attacker who identifies the parameter can substitute arbitrary values to retrieve records belonging to other users. The CPE string cpe:2.3:a:itpison:omicard_edm:*:*:*:*:*:*:*:* uses a wildcard version field, indicating no specific version boundary has been defined in NVD - all known versions of the product are potentially in scope. The tag 'Authentication Bypass' in the intelligence data aligns with the PR:N CVSS vector, confirming the access control failure occurs at the pre-authentication layer.
RemediationAI
No exact patched version is identifiable from the available data - consult the TWCERT advisories at https://www.twcert.org.tw/tw/cp-132-10947-027a7-1.html and https://www.twcert.org.tw/en/cp-139-10948-78864-2.html for vendor-issued patch or upgrade guidance, and contact ITPison directly to confirm a fixed release. As a compensating control pending patching, configure a WAF rule to detect and block rapid sequential or enumerated requests against the vulnerable parameter endpoint, noting this may produce false positives if legitimate pagination uses the same parameter. Restrict external network access to the OMICARD EDM administrative or API interface to trusted IP ranges where operationally feasible, reducing the attack surface to internal actors only. Implement server-side session validation ensuring the authenticated user's identity is checked against the requested record owner before returning any data - this is the permanent architectural fix regardless of patch availability. Enable detailed API access logging and alert on anomalous parameter enumeration patterns as a detection measure.
More in Omicard Edm
View allITPison OMICARD EDM 's SMS-related function has insufficient validation for user input. Rated critical severity (CVSS 9.
ITPison OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. Rated critical sever
OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. Rated critical severity (CVS
OMICARD EDM has a hard-coded machine key. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
OMICARD EDM’s API function has insufficient validation for user input. Rated critical severity (CVSS 9.8), this vulnerab
ITPison OMICARD EDM has a path traversal vulnerability within its parameter “FileName” in a specific function. Rated hig
OMICARD EDM’s mail image relay function has a path traversal vulnerability. Rated high severity (CVSS 7.5), this vulnera
OMICARD EDM’s mail file relay function has a path traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerab
OMICARD EDM backend system’s file uploading function does not restrict upload of file with dangerous type. Rated medium
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34196
GHSA-vrwp-qqhw-75c3