Description
A security flaw has been discovered in CodeAstro Complaint Management System 1.0. The affected element is the function deletereport of the file application/controllers/Report.php of the component Report Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the deletereport function of the Report.php controller allows attackers to bypass authorization and delete complaint reports without proper credentials. This breach compromises the integrity of the system’s data and can facilitate further malicious actions by removing evidence or manipulating records.

Affected Systems

The vulnerability is confined to CodeAstro Complaint Management System version 1.0, as disclosed in the vendor’s documentation. No other releases or variants have been reported as affected at this time.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog. Nonetheless, a publicly released exploit and the ability to perform the attack remotely increase the real‑world risk beyond the numeric score. Attackers could target any internet‑connected host that can access the vulnerable endpoint.

Generated by OpenCVE AI on June 29, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a supported build that removes the unauthorized delete capability.
  • Implement strict authentication and authorization checks on all endpoints that modify data, ensuring that only users with the appropriate roles can invoke deletereport.
  • Disable or restrict direct access to the Report.php endpoint for unauthenticated users and enforce least‑privilege access controls across the application.

Generated by OpenCVE AI on June 29, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in CodeAstro Complaint Management System 1.0. The affected element is the function deletereport of the file application/controllers/Report.php of the component Report Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Title CodeAstro Complaint Management System Report Endpoint Report.php deletereport authorization
First Time appeared Codeastro
Codeastro complaint Management System
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:codeastro:complaint_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro complaint Management System
References
Metrics cvssV2_0

{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codeastro Complaint Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T10:33:43.126Z

Reserved: 2026-06-28T11:02:47.093Z

Link: CVE-2026-13549

cve-icon Vulnrichment

Updated: 2026-06-29T10:33:39.982Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T09:30:17Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-639

    Authorization Bypass Through User-Controlled Key