Skip to main content

Daybydaycrm

1 CVEs product

Monthly

CVE-2026-10283 MEDIUM PATCH This Month

Missing admin-only middleware on DaybydayCRM's SettingsController (`updateOverall` and `updateFirstStep` methods) allows any authenticated low-privilege user to modify critical company-wide configurations - including currency, VAT rates, invoice numbering, and business hours - in versions up to 2.2.1. The PR diff confirms the vulnerability is part of a systemic authorization failure across multiple controllers: authenticated users could also delete any resource (clients, tasks, leads, projects) and exploit mass assignment flaws in status update endpoints. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though an upstream patch PR has been submitted.

Authentication Bypass Daybydaycrm
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing admin-only middleware on DaybydayCRM's SettingsController (`updateOverall` and `updateFirstStep` methods) allows any authenticated low-privilege user to modify critical company-wide configurations - including currency, VAT rates, invoice numbering, and business hours - in versions up to 2.2.1. The PR diff confirms the vulnerability is part of a systemic authorization failure across multiple controllers: authenticated users could also delete any resource (clients, tasks, leads, projects) and exploit mass assignment flaws in status update endpoints. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though an upstream patch PR has been submitted.

Authentication Bypass Daybydaycrm
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy