{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4563", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-22T08:20:25.349Z", "datePublished": "2026-03-22T23:51:03.216Z", "dateUpdated": "2026-03-25T13:53:02.294Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-22T23:51:03.216Z"}, "title": "MacCMS Member Order Detail User.php order_info authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "Authorization Bypass"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}], "affected": [{"vendor": "n/a", "product": "MacCMS", "versions": [{"version": "2025.1000.4052", "status": "affected"}], "cpes": ["cpe:2.3:a:maccms:maccms:*:*:*:*:*:*:*:*"], "modules": ["Member Order Detail Interface"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument order_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-22T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-22T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-22T09:25:33.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "HuajiHD (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.352400", "name": "VDB-352400 | MacCMS Member Order Detail User.php order_info authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352400", "name": "VDB-352400 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775050", "name": "Submit #775050 | MacCMS 2025.1000.4052 Authorization Bypass", "tags": ["third-party-advisory"]}, {"url": "https://github.com/HuajiHD/CVE/issues/10", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:52:50.997995Z", "id": "CVE-2026-4563", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:53:02.294Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4563", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:52:50.997995Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:52:58.414Z"}}], "cna": {"title": "MacCMS Member Order Detail User.php order_info authorization", "credits": [{"lang": "en", "type": "reporter", "value": "HuajiHD (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:maccms:maccms:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["Member Order Detail Interface"], "product": "MacCMS", "versions": [{"status": "affected", "version": "2025.1000.4052"}]}], "timeline": [{"lang": "en", "time": "2026-03-22T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-22T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-22T09:25:33.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352400", "name": "VDB-352400 | MacCMS Member Order Detail User.php order_info authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352400", "name": "VDB-352400 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775050", "name": "Submit #775050 | MacCMS 2025.1000.4052 Authorization Bypass", "tags": ["third-party-advisory"]}, {"url": "https://github.com/HuajiHD/CVE/issues/10", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument order_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-22T23:51:03.216Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4563", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:53:02.294Z", "dateReserved": "2026-03-22T08:20:25.349Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-22T23:51:03.216Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument order_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks."}, {"lang": "es", "value": "Se ha identificado una debilidad en MacCMS hasta 2025.1000.4052. Esta vulnerabilidad afecta a la funci\u00f3n order_info del archivo application/index/controller/User.php del componente Member Order Detail Interface. Esta manipulaci\u00f3n del argumento order_id causa bypass de autorizaci\u00f3n. Es posible iniciar el ataque remotamente. El exploit ha sido puesto a disposici\u00f3n del p\u00fablico y podr\u00eda ser utilizado para ataques."}], "id": "CVE-2026-4563", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-23T00:16:51.893", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/HuajiHD/CVE/issues/10"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352400"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352400"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.775050"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2025.1000.4052,2025.1000.4052]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "maccms", "vendor": "maccms"}], "analysis": {"en": {"generated_at": "2026-03-23T03:22:40.082276+00:00", "value": {"mitigation_remediation": ["Apply the latest MacCMS patch (release 2025.1000.4052 or later) to eliminate the order_id handling flaw.", "Verify that order_id parameters are correctly validated and bound to the authenticated user's context.", "Monitor for anomalous access patterns to order information and restrict API permissions as a temporary control.", "Keep the system and its components up to date by checking the vendor\u2019s update announcements regularly."], "summary": {"action": "Patch", "impact": "Authorization bypass resulting in unauthorized access to user order information"}, "threat_synthesis": {"affected_systems": "MacCMS versions released before or equal to 2025.1000.4052 are affected. The attack targets the Member Order Detail Interface component, specifically the User.php controller handling order information. No other affected products or versions are listed.", "description_and_impact": "A flaw in MacCMS up to 2025.1000.4052 allows remote manipulation of the order_id argument in the order_info function of User.php, leading to an unauthorized bypass of access checks. This weakness permits an attacker to view or modify order details that should be protected by authentication, effectively exposing confidential customer data. The vulnerability is rooted in improper authorization checks, as identified by CWE-285 and CWE-639.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate severity. The exploit is available publicly and can be invoked remotely, increasing its risk floor. While the EPSS score is not available, the lack of KEV listing suggests the vulnerability has not yet been catalogued as a widely exploited weakness. Attackers would need remote access to the application and can supply crafted order_id parameters to bypass authorization checks, making the exploitation straightforward for those with network reach to the system."}}}}, "created": "2026-03-23T09:45:46.002879+00:00", "updated": "2026-03-25T14:50:19.705799+00:00", "vendors": ["maccms", "maccms$PRODUCT$maccms"]}