CVE-2026-10070 - Vulnerability Details

- macrozheng mall Super Admin Password update improper authorization

Description

A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.

Published: 2026-05-29

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists within the Super Admin Password Handler component of macrozheng mall that permits improper authorization. By triggering a manipulation of the /admin/update endpoint, an unauthenticated or low‑privileged attacker can override the password of a super‑admin account. This grants full control over the application, allowing the attacker to modify configuration, view sensitive data, or launch further attacks. The vulnerability is categorized as both CWE‑266 (Improper Handling of Privilege Escalation) and CWE‑285 (Improper Authorization).

Affected Systems

The affected product is macrozheng mall, versions up to 1.0.3. The issue specifically lies in an undisclosed function within the /admin/update file of the Super Admin Password Handler module. No patches or updates are currently available from the vendor, and the issue tracker has been removed without explanation.

Risk and Exploitability

With a CVSS score of 5.1 the vulnerability is considered of moderate severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog, indicating limited public exploitation data. Nevertheless, the remote exploitation path is straightforward: an attacker can send a crafted request to /admin/update and bypass authentication checks. The lack of an official workaround or fix underscores the need for mitigation measures until a vendor update is released.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

macrozheng

mall

affected

Version	Status	Constraints
`1.0.0`	affected	—
`1.0.1`	affected	—
`1.0.2`	affected	—
`1.0.3`	affected	—

No data.

Vendor Product Confidence Versions

Macrozheng

Mall

100%

Version	Status	Scheme	Platform
`[1.0.0,1.0.3]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a patched version of macrozheng mall once the vendor releases an update.
Configure firewall or network segmentation to restrict direct access to the /admin/update endpoint to trusted IP addresses or VLANs.
Enforce strict authentication and role checks on the password update endpoint; require a valid admin session token before allowing password changes.
Monitor admin activity logs for unauthorized or unexpected password modifications and investigate any anomalies.

Generated by OpenCVE AI on May 29, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/macrozheng/mall/
https://github.com/macrozheng/mall/issues/970
https://vuldb.com/submit/818384
https://vuldb.com/vuln/367156
https://vuldb.com/vuln/367156/cti

History

Fri, 29 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
Title		macrozheng mall Super Admin Password update improper authorization
First Time appeared		Macrozheng Macrozheng mall
Weaknesses		CWE-266 CWE-285
CPEs		cpe:2.3:a:macrozheng:mall::::::::
Vendors & Products		Macrozheng Macrozheng mall
References		https://github.com/macrozheng/mall/ https://github.com/macrozheng/mall/issues/970 https://vuldb.com/submit/818384 https://vuldb.com/vuln/367156 https://vuldb.com/vuln/367156/cti
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Macrozheng Mall

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-29T16:15:07.422Z

Updated: 2026-05-29T18:21:51.126Z

Reserved: 2026-05-29T08:38:54.521Z

Link: CVE-2026-10070

Vulnrichment

Updated: 2026-05-29T18:21:38.319Z

NVD

Status : Deferred

Published: 2026-05-29T18:16:30.807

Modified: 2026-05-29T20:10:20.490

Link: CVE-2026-10070

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object