Description
A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Assess Impact
AI Analysis

Impact

The vulnerability is an improper authorization flaw in the deleteMenu endpoint of MenuController. It allows an attacker to execute delete or update operations on menu items without proper authentication, leading to unauthorized data modification and potential loss of critical menu configurations. This weakness is categorized as CWE‑266 and CWE‑285 and may compromise the integrity of the application data.

Affected Systems

The affected product is yeqifu warehouse, a repository-based, rolling‑release web application. No discrete version numbers are available because the project follows a continuous delivery model, but the vulnerability exists in all releases up to the commit aaf29962ba407d22d991781de28796ee7b4670e4 and likely in newer ones until patched.

Risk and Exploitability

The publicly disclosed exploit demonstrates that the vulnerability can be leveraged remotely via crafted requests. Despite a CVSS score of 5.3 indicating moderate severity, the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The issue does not appear in the CISA KEV catalog, and the project has not yet released a fix, meaning attackers remain able to target exposed instances until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the current repository revision and apply any official update or patch released by yeqifu that addresses the deleteMenu authorization issue.
  • Restrict remote access to the menu management API by enforcing firewall rules or network segmentation, ensuring that only trusted administrators can reach the deleteMenu endpoint.
  • If no patch is available, temporarily disable the deleteMenu functionality or revoke delete permissions for all users until the vulnerability is resolved.

Generated by OpenCVE AI on April 17, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Sat, 07 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Menu Management MenuController.java deleteMenu improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:30:34.477Z

Reserved: 2026-02-06T07:57:20.372Z

Link: CVE-2026-2079

cve-icon Vulnrichment

Updated: 2026-02-10T15:36:43.185Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T09:16:01.407

Modified: 2026-02-10T15:13:53.337

Link: CVE-2026-2079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses