Description
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in DevaslanPHP project‑management exists in the Livewire component ViewTicket.php, specifically the doDeleteComment method. The flaw allows a remote attacker to delete ticket comments without proper authorization, potentially manipulating discussion history and misleading stakeholders. This improper authorization issue is identified by CWE-266 and CWE-285.

Affected Systems

DevaslanPHP:project-management, versions up to and including 2.0.0‑beta1, located at app/Filament/Resources/TicketResource/Pages/ViewTicket.php. The exploit can be triggered remotely from any user session that can access the Livewire component.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, but the lack of a public exploit and absence from the CISA KEV list suggest a lower likelihood of widespread exploitation. Because the vulnerability can be invoked remotely and requires only access to the TicketResource page, an attacker with even a single authenticated user role that has page access could abuse it until a patch is released.

Generated by OpenCVE AI on June 1, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement strict role‑based checks in the deleteComment handler so that only users with explicit delete permission can perform the operation.
  • Restrict or remove delete functionality from users who do not need it, ensuring the TicketResource page is only accessible to authorized roles.
  • Monitor application logs for unexpected delete actions and review audit trails for suspicious activity.
  • Once the project releases a fix, upgrade to the updated version immediately.

Generated by OpenCVE AI on June 1, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Devaslanphp project Management
Vendors & Products Devaslanphp project Management

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.
Title DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization
First Time appeared Devaslanphp
Devaslanphp project-management
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:devaslanphp:project-management:*:*:*:*:*:*:*:*
Vendors & Products Devaslanphp
Devaslanphp project-management
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Devaslanphp Project-management Project Management
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T19:00:09.664Z

Reserved: 2026-05-31T16:30:10.696Z

Link: CVE-2026-10284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T21:16:25.130

Modified: 2026-06-01T21:16:25.130

Link: CVE-2026-10284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:30:26Z

Weaknesses