Skip to main content

Minerva

3 CVEs product

Monthly

CVE-2026-5781 HIGH This Week

Privilege escalation in MphRx Minerva V3.6.0 allows authenticated users with user modification privileges to gain administrator access by manipulating the 'identifier' field in direct HTTP requests to the '/minerva/moUser/update' endpoint. While the vulnerability requires existing low-level authenticated access and cannot be exploited through the graphical interface, the CVSS v4.0 score of 8.5 reflects high impact across confidentiality, integrity, and availability in the subsequent system context (SC:H/SI:H/SA:H). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE.

Authentication Bypass Minerva
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5780 HIGH This Week

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to enumerate and exfiltrate sensitive user data across the entire application by manipulating user IDs in the '/minerva/moUser/show/' endpoint. The CVSS 4.0 score of 8.5 reflects high confidentiality impact to both vulnerable (VC:H) and subsequent (SC:H) systems, with subsequent high integrity (SI:H) and availability (SA:H) impacts indicating potential for lateral movement or privilege escalation after initial data disclosure. Coordinated disclosure by INCIBE-CERT suggests vendor notification occurred, though no public exploit code is currently identified and EPSS/KEV data are unavailable for this 2026 CVE.

Authentication Bypass Minerva
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5779 CRITICAL Act Now

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to modify arbitrary user profiles via the '/minerva/user/updateUserProfile' endpoint, enabling account takeover by changing victim email addresses and triggering password reset flows. Reported by INCIBE-CERT with authentication bypass tags, indicating likely real-world discovery during security assessment. CVSS 9.4 reflects high confidentiality, integrity, and scope impacts (VC:H/VI:H/SC:H/SI:H), though the PR:L requirement (low-privileged authenticated access) limits initial attack surface to users with valid credentials.

Authentication Bypass Minerva
NVD VulDB
CVSS 4.0
9.4
EPSS
0.0%
EPSS 0% CVSS 8.5
HIGH This Week

Privilege escalation in MphRx Minerva V3.6.0 allows authenticated users with user modification privileges to gain administrator access by manipulating the 'identifier' field in direct HTTP requests to the '/minerva/moUser/update' endpoint. While the vulnerability requires existing low-level authenticated access and cannot be exploited through the graphical interface, the CVSS v4.0 score of 8.5 reflects high impact across confidentiality, integrity, and availability in the subsequent system context (SC:H/SI:H/SA:H). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE.

Authentication Bypass Minerva
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to enumerate and exfiltrate sensitive user data across the entire application by manipulating user IDs in the '/minerva/moUser/show/' endpoint. The CVSS 4.0 score of 8.5 reflects high confidentiality impact to both vulnerable (VC:H) and subsequent (SC:H) systems, with subsequent high integrity (SI:H) and availability (SA:H) impacts indicating potential for lateral movement or privilege escalation after initial data disclosure. Coordinated disclosure by INCIBE-CERT suggests vendor notification occurred, though no public exploit code is currently identified and EPSS/KEV data are unavailable for this 2026 CVE.

Authentication Bypass Minerva
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to modify arbitrary user profiles via the '/minerva/user/updateUserProfile' endpoint, enabling account takeover by changing victim email addresses and triggering password reset flows. Reported by INCIBE-CERT with authentication bypass tags, indicating likely real-world discovery during security assessment. CVSS 9.4 reflects high confidentiality, integrity, and scope impacts (VC:H/VI:H/SC:H/SI:H), though the PR:L requirement (low-privileged authenticated access) limits initial attack surface to users with valid credentials.

Authentication Bypass Minerva
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy