{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7142", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-26T19:42:42.726Z", "datePublished": "2026-04-27T17:00:17.000Z", "dateUpdated": "2026-04-27T20:12:13.840Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T17:00:17.000Z"}, "title": "Wooey API Endpoint scripts.py add_or_update_script improper authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "n/a", "product": "Wooey", "versions": [{"version": "0.13.0", "status": "affected"}, {"version": "0.13.1", "status": "affected"}, {"version": "0.13.2", "status": "affected"}, {"version": "0.13.3rc1", "status": "unaffected"}, {"version": "0.14.0", "status": "unaffected"}], "modules": ["API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.13.3rc1 and 0.14.0 is sufficient to resolve this issue. This patch is called f7846fc0c323da8325422cab32623491757f1b88. The affected component should be upgraded."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-26T21:48:23.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "anch0r (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/359741", "name": "VDB-359741 | Wooey API Endpoint scripts.py add_or_update_script improper authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359741/cti", "name": "VDB-359741 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/801533", "name": "Submit #801533 | wooey Wooey 0.13.3-dev Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wooey/Wooey/issues/408", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/wooey/Wooey/pull/407", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/wooey/Wooey/commit/f7846fc0c323da8325422cab32623491757f1b88", "tags": ["patch"]}, {"url": "https://github.com/wooey/Wooey/releases/tag/v0.13.3rc1", "tags": ["patch"]}, {"url": "https://github.com/wooey/Wooey/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T19:37:14.710974Z", "id": "CVE-2026-7142", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T20:12:13.840Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7142", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T19:37:14.710974Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:39:21.939Z"}}], "cna": {"tags": ["x_open-source"], "title": "Wooey API Endpoint scripts.py add_or_update_script improper authorization", "credits": [{"lang": "en", "type": "reporter", "value": "anch0r (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "n/a", "modules": ["API Endpoint"], "product": "Wooey", "versions": [{"status": "affected", "version": "0.13.0"}, {"status": "affected", "version": "0.13.1"}, {"status": "affected", "version": "0.13.2"}, {"status": "unaffected", "version": "0.13.3rc1"}, {"status": "unaffected", "version": "0.14.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-26T21:48:23.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359741", "name": "VDB-359741 | Wooey API Endpoint scripts.py add_or_update_script improper authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359741/cti", "name": "VDB-359741 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/801533", "name": "Submit #801533 | wooey Wooey 0.13.3-dev Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wooey/Wooey/issues/408", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/wooey/Wooey/pull/407", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/wooey/Wooey/commit/f7846fc0c323da8325422cab32623491757f1b88", "tags": ["patch"]}, {"url": "https://github.com/wooey/Wooey/releases/tag/v0.13.3rc1", "tags": ["patch"]}, {"url": "https://github.com/wooey/Wooey/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.13.3rc1 and 0.14.0 is sufficient to resolve this issue. This patch is called f7846fc0c323da8325422cab32623491757f1b88. The affected component should be upgraded."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T17:00:17.000Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7142", "state": "PUBLISHED", "dateUpdated": "2026-04-27T20:12:13.840Z", "dateReserved": "2026-04-26T19:42:42.726Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-27T17:00:17.000Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.13.3rc1 and 0.14.0 is sufficient to resolve this issue. This patch is called f7846fc0c323da8325422cab32623491757f1b88. The affected component should be upgraded."}], "id": "CVE-2026-7142", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-27T17:16:45.820", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/wooey/Wooey/"}, {"source": "cna@vuldb.com", "url": "https://github.com/wooey/Wooey/commit/f7846fc0c323da8325422cab32623491757f1b88"}, {"source": "cna@vuldb.com", "url": "https://github.com/wooey/Wooey/issues/408"}, {"source": "cna@vuldb.com", "url": "https://github.com/wooey/Wooey/pull/407"}, {"source": "cna@vuldb.com", "url": "https://github.com/wooey/Wooey/releases/tag/v0.13.3rc1"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/801533"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359741"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359741/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.13.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.13.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.13.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.13.3rc1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.14.0"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "Wooey", "source": "cna", "vendor": "n/a"}, "product": "wooey", "vendor": "wooey"}], "analysis": {"en": {"generated_at": "2026-04-28T04:16:22.515693+00:00", "value": {"mitigation_remediation": ["Update Wooey to version 0.13.3rc1 or any newer release such as 0.14.0, which contains the fix identified by commit f7846fc0c323da8325422cab32623491757f1b88", "If an immediate upgrade is not possible, restrict network access to the /scripts API endpoint to authorized users only, applying firewall rules or authentication checks to block unauthenticated requests", "During the upgrade process, verify that the authorization logic for add_or_update_script is in place and that only users with the appropriate permissions can execute this function"], "summary": {"action": "Patch", "impact": "Improper authorization allowing unauthorized script creation or update via Wooey API"}, "threat_synthesis": {"affected_systems": "Wooey, versions up to 0.13.2, including the 0.13.3rc1 release and 0.14.0. Upgrading to 0.13.3rc1 or newer resolves the issue. The affected component is the API Endpoint in the script handling module.", "description_and_impact": "A flaw in Wooey\u2019s add_or_update_script function inside wooey/api/scripts.py allows an attacker to bypass authorization controls when adding or updating scripts. Because the endpoint does not require sufficient privileges, a malicious user can create or modify scripts on the system, potentially leading to privilege escalation or unauthorized execution. The vulnerability is identified as a classic authorization failure (CWE-266 and CWE-285) and can be exploited remotely through the public API.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that no large\u2011scale exploitation has been observed. Nevertheless, the flaw can be reached remotely via the API, and the public exploit has been disclosed, so any exposed instance is at risk. Administrators should treat the vulnerability as significant enough to warrant prompt remediation."}}}}, "created": "2026-04-28T04:30:21.137411+00:00", "updated": "2026-04-28T09:17:01.125326+00:00", "vendors": ["wooey", "wooey$PRODUCT$wooey"]}