Skip to main content

Proliz OBS EUVDEUVD-2026-45166

| CVE-2026-7189 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-07-17 TR-CERT GHSA-xmc7-8g95-v5fj
7.5
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable unauthenticated endpoint with a missing ACL check (AV:N/AC:L/PR:N/UI:N) discloses sensitive data, giving high confidentiality impact and no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Updated
Jul 17, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 17, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jul 17, 2026 - 14:22 NVD
8.2 (HIGH) 7.5 (HIGH)
Analysis Generated
Jul 17, 2026 - 13:30 vuln.today
CVE Published
Jul 17, 2026 - 12:44 nvd
HIGH 8.2

DescriptionCVE.org

Insertion of sensitive information into sent data vulnerability in Proliz Software Ltd. Co. Proliz's OBS allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Proliz's OBS: before v3.6.0.

AnalysisAI

Sensitive information disclosure in Proliz Software's OBS (a student information management system) affects all versions before v3.6.0, allowing remote unauthenticated attackers to reach functionality that is not properly restricted by access-control lists (CWE-201) and retrieve confidential data. The CVSS 7.5 vector (AV:N/AC:L/PR:N/UI:N, C:H only) confirms network-reachable, no-privilege access with high confidentiality impact but no integrity or availability effect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed OBS endpoint
Delivery
Send request to unrestricted function
Exploit
Bypass missing ACL check
Execution
Server returns sensitive data
Impact
Harvest disclosed records

Vulnerability AssessmentAI

Exploitation The OBS instance must be network-reachable by the attacker (AV:N) and running a version before v3.6.0; the CVSS vector (PR:N/UI:N/AC:L) indicates no authentication, no user interaction, and low complexity are required against a vulnerable deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.5 (High) driven entirely by confidentiality (C:H, I:N, A:N) with the most exploitable-vector combination possible: AV:N (network), AC:L (low complexity), PR:N (no privileges), UI:N (no user interaction). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker with no account and no user interaction sends crafted HTTP requests to an internet-exposed OBS endpoint whose authorization is not properly enforced, and the server returns confidential records (such as student or academic data) in its response. Because the access is low-complexity and unauthenticated, the request can be scripted and iterated to harvest data at scale. …
Remediation Upgrade to OBS v3.6.0 or later, which is the vendor-designated fixed release (all versions before v3.6.0 are affected); this qualifies as a vendor-released patch: v3.6.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, immediately verify which OBS versions are deployed in your environment and alert stakeholders; implement network-layer access controls to restrict OBS connectivity to authorized administrative networks only, and enable detailed audit logging on all student records access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy