{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4514", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-20T14:35:02.637Z", "datePublished": "2026-03-21T10:32:09.977Z", "dateUpdated": "2026-03-23T16:44:51.027Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-21T10:32:09.977Z"}, "title": "PbootCMS Backend UserController.php access control", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "n/a", "product": "PbootCMS", "versions": [{"version": "3.2.0", "status": "affected"}, {"version": "3.2.1", "status": "affected"}, {"version": "3.2.2", "status": "affected"}, {"version": "3.2.3", "status": "affected"}, {"version": "3.2.4", "status": "affected"}, {"version": "3.2.5", "status": "affected"}, {"version": "3.2.6", "status": "affected"}, {"version": "3.2.7", "status": "affected"}, {"version": "3.2.8", "status": "affected"}, {"version": "3.2.9", "status": "affected"}, {"version": "3.2.10", "status": "affected"}, {"version": "3.2.11", "status": "affected"}, {"version": "3.2.12", "status": "affected"}], "cpes": ["cpe:2.3:a:pbootcms:pbootcms:*:*:*:*:*:*:*:*"], "modules": ["Backend"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. The attack may be performed from remote. The exploit has been published and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-20T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-20T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-20T15:40:06.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "zmjjkk (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.352079", "name": "VDB-352079 | PbootCMS Backend UserController.php access control", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352079", "name": "VDB-352079 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.773907", "name": "Submit #773907 | \u7ff1\u4e91\u79d1\u6280 PbootCMS 3.2.12 Backend Arbitrary Field Modification via field and value Paramet", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zzj-create/cvetest/blob/main/VULN-06_BACKEND_ARBITRARY_FIELD_MODIFICATION_REPORT_EN.md#vuln-06-pbootcms-3212-backend-arbitrary-field-modification", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:39:07.083402Z", "id": "CVE-2026-4514", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:44:51.027Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4514", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:39:07.083402Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:44:44.532Z"}}], "cna": {"title": "PbootCMS Backend UserController.php access control", "credits": [{"lang": "en", "type": "reporter", "value": "zmjjkk (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:pbootcms:pbootcms:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["Backend"], "product": "PbootCMS", "versions": [{"status": "affected", "version": "3.2.0"}, {"status": "affected", "version": "3.2.1"}, {"status": "affected", "version": "3.2.2"}, {"status": "affected", "version": "3.2.3"}, {"status": "affected", "version": "3.2.4"}, {"status": "affected", "version": "3.2.5"}, {"status": "affected", "version": "3.2.6"}, {"status": "affected", "version": "3.2.7"}, {"status": "affected", "version": "3.2.8"}, {"status": "affected", "version": "3.2.9"}, {"status": "affected", "version": "3.2.10"}, {"status": "affected", "version": "3.2.11"}, {"status": "affected", "version": "3.2.12"}]}], "timeline": [{"lang": "en", "time": "2026-03-20T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-20T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-20T15:40:06.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352079", "name": "VDB-352079 | PbootCMS Backend UserController.php access control", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352079", "name": "VDB-352079 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.773907", "name": "Submit #773907 | \u7ff1\u4e91\u79d1\u6280 PbootCMS 3.2.12 Backend Arbitrary Field Modification via field and value Paramet", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zzj-create/cvetest/blob/main/VULN-06_BACKEND_ARBITRARY_FIELD_MODIFICATION_REPORT_EN.md#vuln-06-pbootcms-3212-backend-arbitrary-field-modification", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. The attack may be performed from remote. The exploit has been published and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-21T10:32:09.977Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4514", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:44:51.027Z", "dateReserved": "2026-03-20T14:35:02.637Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-21T10:32:09.977Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. The attack may be performed from remote. The exploit has been published and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en PbootCMS hasta la versi\u00f3n 3.2.12. Se ve afectada por este problema alguna funcionalidad desconocida del archivo apps/admin/controller/system/UserController.PHP del componente Backend. La ejecuci\u00f3n de una manipulaci\u00f3n del argumento Field puede conducir a controles de acceso inadecuados. El ataque puede realizarse de forma remota. El exploit ha sido publicado y puede ser utilizado."}], "id": "CVE-2026-4514", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-21T11:17:06.723", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/zzj-create/cvetest/blob/main/VULN-06_BACKEND_ARBITRARY_FIELD_MODIFICATION_REPORT_EN.md#vuln-06-pbootcms-3212-backend-arbitrary-field-modification"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352079"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352079"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.773907"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.12]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "PbootCMS", "source": "cna", "vendor": "n/a"}, "product": "pbootcms", "vendor": "pbootcms"}], "analysis": {"en": {"generated_at": "2026-03-21T12:20:33.391608+00:00", "value": {"mitigation_remediation": ["Update PbootCMS to version 3.2.13 or newer."], "summary": {"action": "Immediate Patch", "impact": "Improper Authorization"}, "threat_synthesis": {"affected_systems": "The affected product is PbootCMS, specifically all releases up to and including 3.2.12. No other vendors or products are listed as impacted.", "description_and_impact": "PbootCMS versions up to 3.2.12 contain a flaw in the UserController.php component that permits remote manipulation of the Field argument. This weakness allows an attacker to alter arbitrary user data or configuration settings, bypassing the intended access controls and potentially enabling privilege escalation or unauthorized data modification. The vulnerability is classified under CWE\u2011266 and CWE\u2011284, indicating problems with authority management and improper access control.", "risk_and_exploitability": "The CVSS v3.1 score is 5.3, representing a medium severity. EPSS information is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it may not be actively exploited in the wild. Nonetheless, an exploit has been published and the attack can be carried out remotely, likely by sending crafted requests to the backend API. The lack of explicit authentication requirements in the description means the risk may vary depending on the deployment\u2019s exposure, but a remote attacker with access to the backend portal could leverage this weakness."}}}}, "created": "2026-03-23T09:49:37.390361+00:00", "updated": "2026-03-25T14:41:15.052366+00:00", "vendors": ["pbootcms", "pbootcms$PRODUCT$pbootcms"]}