Description
A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization / Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

A flaw has been discovered in the Department Management component of yeqifu warehouse, specifically in the addDept, updateDept and deleteDept functions of DeptController.java. The logic fails to enforce proper authorization, enabling an attacker to execute department modifications or deletions that should be restricted to privileged users. This flaw is classified as a permissions‑based weakness (CWE‑266) and an authorization control weakness (CWE‑285). The consequence is the potential compromise of department data integrity and a possible elevation of privileges if the attacker gains access to the affected operations.

Affected Systems

The vulnerability affects all releases of yeqifu warehouse up to the commit aaf29962ba407d22d991781de28796ee7b4670e4. Because the project follows rolling releases and does not publish explicit version numbers, any current deployment may still contain the insecure code until a fix is applied.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability presents a medium severity risk. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can launch the exploit remotely, as the flaws reside in publicly exposed API endpoints. Exploitation would require sending crafted requests to the deleteDept (or add/updateDept) routes; no additional conditions such as privileged network access are documented. The risk is moderate given the medium CVSS base, but the low exploitation likelihood and absence from KEV temper urgency. Prompt remediation is recommended however, because improper authorization can lead to data loss or an attacker's wider access within the system.

Generated by OpenCVE AI on April 17, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or newer release from the yeqifu warehouse project that fixes authorization checks in the Department Management controller
  • If a patch is not yet released, remove or disable the deleteDept API endpoint for non‑privileged users and enforce strict role‑based access control on all department‑managing routes
  • Adjust application logs to capture all delete or update attempts and review them regularly for suspicious activity
  • Consider disabling the delete functionality entirely until a secure version is deployed

Generated by OpenCVE AI on April 17, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Sat, 07 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Department Management DeptController.java deleteDept improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:33:19.050Z

Reserved: 2026-02-06T14:15:55.535Z

Link: CVE-2026-2105

cve-icon Vulnrichment

Updated: 2026-02-10T15:56:12.317Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T17:15:47.710

Modified: 2026-02-10T15:13:34.863

Link: CVE-2026-2105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses