{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2549", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-15T16:06:15.489Z", "datePublished": "2026-02-16T09:32:06.062Z", "dateUpdated": "2026-02-23T10:08:08.223Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:08:08.223Z"}, "title": "zhanghuanhao LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf BookController.java access control", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "zhanghuanhao", "product": "LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf", "versions": [{"version": "1.1.0", "status": "affected"}, {"version": "1.1.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in zhanghuanhao LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-15T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-15T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-20T08:22:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Jszdk (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346158", "name": "VDB-346158 | zhanghuanhao LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf BookController.java access control", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346158", "name": "VDB-346158 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.749873", "name": "Submit #749873 | https://github.com/zhanghuanhao/LibrarySystem LibrarySystem v1.1.1 Improper Access Control", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zhanghuanhao/LibrarySystem/issues/32", "tags": ["issue-tracking"]}, {"url": "https://github.com/zhanghuanhao/LibrarySystem/issues/32#issue-3879640487", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T16:54:06.135157Z", "id": "CVE-2026-2549", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T16:54:17.135Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2549", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T16:54:06.135157Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T16:54:09.893Z"}}], "cna": {"title": "zhanghuanhao LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf BookController.java access control", "credits": [{"lang": "en", "type": "reporter", "value": "Jszdk (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "zhanghuanhao", "product": "LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf", "versions": [{"status": "affected", "version": "1.1.0"}, {"status": "affected", "version": "1.1.1"}]}], "timeline": [{"lang": "en", "time": "2026-02-15T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-15T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-20T08:22:53.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346158", "name": "VDB-346158 | zhanghuanhao LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf BookController.java access control", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346158", "name": "VDB-346158 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.749873", "name": "Submit #749873 | https://github.com/zhanghuanhao/LibrarySystem LibrarySystem v1.1.1 Improper Access Control", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zhanghuanhao/LibrarySystem/issues/32", "tags": ["issue-tracking"]}, {"url": "https://github.com/zhanghuanhao/LibrarySystem/issues/32#issue-3879640487", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in zhanghuanhao LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:08:08.223Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2549", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:08:08.223Z", "dateReserved": "2026-02-15T16:06:15.489Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-16T09:32:06.062Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in zhanghuanhao LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en zhanghuanhao LibrarySystem ??????? hasta la versi\u00f3n 1.1.1. Esto afecta a una funci\u00f3n desconocida del archivo BookController.java. La manipulaci\u00f3n conduce a controles de acceso inadecuados. El ataque puede llevarse a cabo remotamente. El exploit ha sido divulgado al p\u00fablico y puede ser utilizado. El proyecto fue informado del problema con antelaci\u00f3n a trav\u00e9s de un informe de incidencias, pero a\u00fan no ha respondido."}], "id": "CVE-2026-2549", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-16T10:16:08.403", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/zhanghuanhao/LibrarySystem/issues/32"}, {"source": "cna@vuldb.com", "url": "https://github.com/zhanghuanhao/LibrarySystem/issues/32#issue-3879640487"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346158"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346158"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.749873"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.1.1"}}], "product": "librarysystem", "vendor": "zhanghuanhao"}], "analysis": {"en": {"generated_at": "2026-04-17T19:10:41.584770+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011released patch that addresses the authorization bypass in BookController.java as soon as it becomes available.", "Implement temporary network\u2011level restrictions, such as firewall rules or IP whitelisting, to limit who can reach the BookController endpoints until a patch is applied.", "Add or enforce explicit role\u2011based access checks in the application code, ensuring that only authorized users can perform book\u2011management actions.", "Continuously monitor logs for anomalous privilege\u2011escalation activity, particularly unexpected requests to book\u2011management URLs, and investigate any suspicious patterns."], "summary": {"action": "Monitor", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "This issue impacts the zhanghuanhao LibrarySystem application in all versions up to and including 1.1.1. Systems that have not upgraded beyond that release are potentially exposed. The vulnerability is limited to the BookController component responsible for handling book\u2011related requests.", "description_and_impact": "The vulnerability in the zhanghuanhao LibrarySystem \u56fe\u4e66\u9986\u7ba1\u7406\u7cfb\u7edf arises from an incorrect authorization check in the BookController.java module. Attackers can manipulate request parameters to bypass intended access restrictions, thereby gaining privileged access to book\u2011management functions. The flaw is a classic example of an authorization bypass or improper access control (CWE\u2011266 and CWE\u2011284), which threatens the confidentiality and integrity of library catalog data.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.9, indicating moderate severity, while the EPSS probability is below 1 percent, pointing to a low chance of exploitation at the time of analysis. It is not listed in CISA\u2019s KEV catalog, suggesting no known widespread exploitation. Nonetheless, an attacker with remote access could exploit the flaw, given the absence of response from the project maintainers and the public availability of the exploit code."}}}}, "created": "2026-02-16T12:01:00.213110+00:00", "updated": "2026-04-17T19:15:26.256768+00:00", "vendors": ["zhanghuanhao", "zhanghuanhao$PRODUCT$librarysystem"]}