CVE-2026-10282 - Vulnerability Details

- Bottelet DaybydayCRM DocumentsController.php view improper authorization

Description

A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue.

Published: 2026-06-01

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the view function of the DocumentsController within Bottelet DaybydayCRM up to version 2.2.1 that allows an attacker to bypass the intended authorization checks. The improper authorization can enable viewing of documents that a legitimate user should not have access to, potentially exposing sensitive business documents or private customer information. The weakness is a classic example of inadequate permission enforcement, corresponding to the CWE identifiers related to privilege escalation and authentication failures.

Affected Systems

The vulnerability affects all installations of Bottelet DaybydayCRM versions up to and including 2.2.1. Users who rely on the default role‑based access controls for document management are impacted, as the code controlling access in app/Http/Controllers/DocumentsController.php fails to confirm the caller’s permissions before returning the document data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the vulnerability is exploitable via a remote attack vector, as indicated by the description. While the EPSS score is not available, the existence of this flaw and its remote nature mean that a motivated adversary could discover and exploit it without special pre‑conditions. It is not currently listed in the CISA KEV catalog, but administrators should still consider it a risk due to the potential for unauthorized data exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Bottelet

DaybydayCRM

affected

Version	Status	Constraints
`2.2.0`	affected	—
`2.2.1`	affected	—

No data.

Vendor Product Confidence Versions

Bottelet

Daybydaycrm

100%

Version	Status	Scheme	Platform
`2.2.0`	affected	semver	—
`2.2.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Enforce stricter role‑based access controls for the document viewing endpoints, ensuring that only users with explicit permission can request document data.
Audit system logs for anomalous access patterns and configure alerts for repeated attempts to access documents outside of a user’s authorized scope.
Apply any official patch from Bottelet that addresses improper authorization.

Generated by OpenCVE AI on June 1, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00227.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Bottelet/DaybydayCRM/
https://github.com/Bottelet/DaybydayCRM/issues/347
https://github.com/Bottelet/DaybydayCRM/pull/362
https://vuldb.com/cve/CVE-2026-10282
https://vuldb.com/submit/825439
https://vuldb.com/submit/825440
https://vuldb.com/vuln/367575
https://vuldb.com/vuln/367575/cti

History

Mon, 01 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue.
Title		Bottelet DaybydayCRM DocumentsController.php view improper authorization
First Time appeared		Bottelet Bottelet daybydaycrm
Weaknesses		CWE-266 CWE-285
CPEs		cpe:2.3:a:bottelet:daybydaycrm::::::::
Vendors & Products		Bottelet Bottelet daybydaycrm
References		https://github.com/Bottelet/DaybydayCRM/ https://github.com/Bottelet/DaybydayCRM/issues/347 https://github.com/Bottelet/DaybydayCRM/pull/362 https://vuldb.com/cve/CVE-2026-10282 https://vuldb.com/submit/825439 https://vuldb.com/submit/825440 https://vuldb.com/vuln/367575 https://vuldb.com/vuln/367575/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Bottelet Daybydaycrm

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T18:30:13.342Z

Updated: 2026-06-01T19:36:10.308Z

Reserved: 2026-05-31T16:25:56.939Z

Link: CVE-2026-10282

Vulnrichment

Updated: 2026-06-01T19:36:04.495Z

NVD

Status : Deferred

Published: 2026-06-01T19:16:21.370

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10282

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:52:53Z

Weaknesses

CWE-266
Incorrect Privilege Assignment
CWE-285
Improper Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object