Skip to main content

Eleveo Call Recording EUVDEUVD-2026-43192

| CVE-2026-15470 LOW
Improper Authorization (CWE-285)
2026-07-11 VulDB GHSA-qhq9-8cqg-qc8g
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

PR:L confirmed by authenticated access requirement; C:L for bounded group data read; S:U and I:N/A:N because no integrity, availability, or scope-crossing impact is described.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 12, 2026 - 00:26 vuln.today
Severity Changed
Jul 12, 2026 - 00:22 NVD
MEDIUM LOW
CVSS changed
Jul 12, 2026 - 00:22 NVD
5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability has been found in Eleveo Call Recording Software 9.7.0. Affected by this issue is some unknown functionality of the file /callrec/group.jsp. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to access the /callrec/group.jsp endpoint without proper permission checks, resulting in unauthorized read access to call recording group data. A publicly available exploit has been disclosed via Google Drive; the vendor was notified but did not respond, meaning no official patch exists at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege Eleveo account
Exploit
Send crafted request to /callrec/group.jsp
Execution
Bypass authorization enforcement
Impact
Read restricted call recording group data

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated session on the Eleveo Call Recording Software 9.7.0 instance - at minimum a low-privilege account (PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N) is consistent with a narrowly scoped, low-impact information disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged user on the Eleveo Call Recording platform - such as a basic agent or read-only auditor account - sends a crafted HTTP request directly to /callrec/group.jsp, bypassing the expected authorization logic to enumerate or access call recording group data assigned to other organizational units or privilege tiers. A publicly available proof-of-concept exists, reducing the technical skill required for exploitation. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor did not respond to responsible disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy