Description
Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers.

This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR (Insecure Direct Object Reference) in PosCube Hardware Software and Consulting Ltd.'s QR Menu. An attacker can control the key used to access menu items, bypassing authorization checks and gaining access to trusted identifiers. This flaw aligns with CWE‑639 and can lead to unauthorized use of QR Menu functions, potentially exposing internal transaction data or enabling further manipulation of POS operations.

Affected Systems

The affected product is PosCube Hardware Software and Consulting Ltd.'s QR Menu. All releases up through version 21052026 are impacted. No official patch has been issued yet. The vendor has not responded to notification.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk, and the lack of an EPSS rating suggests current exploit data is uncertain. The vulnerability can be exploited remotely by crafting a malicious QR code or sending a crafted request that provides a user‑controlled key, thereby bypassing authentication. The issue is not listed in the CISA KEV catalog, but its high CVSS score and the ease of exploitation through the QR interface make it a priority for vendors and users to mitigate promptly.

Generated by OpenCVE AI on May 21, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied update to QR Menu or upgrade to the latest release once a patch is available.
  • Enforce strict authorization checks on QR Menu endpoints, ensuring that only authenticated roles can access protected menu items and that the key is verified against the user’s session or role.
  • Implement comprehensive logging of QR Menu access, recording the key used and the requesting user, to detect and investigate any anomalous usage.
  • If a patch is not yet available, disable or restrict the QR Menu functionality until the vendor releases a fix, preventing unauthorized key manipulation from the client side.

Generated by OpenCVE AI on May 21, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Title IDOR in PosCube's QR Menu
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-21T13:49:38.991Z

Reserved: 2025-11-20T14:18:41.859Z

Link: CVE-2025-13479

cve-icon Vulnrichment

Updated: 2026-05-21T13:49:34.496Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T14:16:43.417

Modified: 2026-05-21T15:24:41.890

Link: CVE-2025-13479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T14:45:12Z

Weaknesses