Description
Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc. Yaay Social Media App allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Yaay Social Media App: from 3.8.0 through 24102025.
Published: 2026-05-14
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR flaw where the Yaay Social Media App accepts a user‑controlled key without proper authorization checks, allowing an attacker to access functions that should be restricted. This can lead to unauthorized data access or manipulation, compromising confidentiality and integrity of user data. The weakness maps to CWE-639.

Affected Systems

The flaw affects APPYAP Technology and Information Inc.'s Yaay Social Media App for all released versions from 3.8.0 through 24102025. Users running any of these builds are potentially exposed.

Risk and Exploitability

The CVSS score of 8.8 classifies it as high severity, and the lack of a published EPSS score suggests limited publicly known exploitation attempts at this time. The vulnerability is not listed in CISA's KEV catalog. An attacker could exploit the flaw remotely by supplying a crafted key in requests to bypass ACLs, provided the user has any authenticated session or can access the endpoint. The risk is therefore significant, especially for applications exposed to internet users.

Generated by OpenCVE AI on May 14, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Yaay Social Media App to the latest available version that includes the fix, if one exists.
  • Introduce an additional server‑side check that verifies the requester owns the user‑controlled key before executing the privileged action.
  • Review and reinforce all ACLs to ensure that endpoints with user‑controlled identifiers enforce ownership and access rights.

Generated by OpenCVE AI on May 14, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc. Yaay Social Media App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Yaay Social Media App: from 3.8.0 through 24102025.
Title IDOR in APPYAP's Yaay Social Media App
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-14T13:47:07.516Z

Reserved: 2025-10-21T08:47:55.324Z

Link: CVE-2025-12008

cve-icon Vulnrichment

Updated: 2026-05-14T13:47:02.759Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T13:16:16.133

Modified: 2026-05-14T16:20:13.477

Link: CVE-2025-12008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:15:23Z

Weaknesses