Description
A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Notice Deletion
Action: Assess Impact
AI Analysis

Impact

A flaw exists in the NoticeController of yeqifu warehouse that allows an attacker to delete notices, including multiple entries in a single operation, without proper authorization. The lack of authentication checks means any remote client that can reach the batchDeleteNotice endpoint can instruct the system to remove notices from the database. This leads to integrity violations and loss of legitimate information, potentially disrupting business processes. The weakness is an improper privilege management flaw (CWE-266) combined with an improper authorization issue (CWE-285).

Affected Systems

YeQifu Warehouse, any deployment using the Notice Management component up to the commit aaf29962ba407d22d991781de28796ee7b4670e4, as the exact affected revision and updated releases are not publicly identified.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. It is not yet listed in the CISA KEV catalog. Attackers would need remote network access to the NoticeController API and could trigger the vulnerability using the batchDeleteNotice operation, bypassing any role checks. Given the modern continuous delivery of rolling releases, the absence of a patch and the vendor’s delayed response elevate concern for systems that remain exposed.

Generated by OpenCVE AI on April 17, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict or disable the batchDeleteNotice endpoint in production and enforce strict role‑based access controls for all NoticeController operations
  • Apply a temporary internal firewall rule to block external traffic to the affected API endpoints until a patch or official fix is released
  • Monitor application logs for unexpected delete requests and investigate any unauthorized notice deletions
  • Contact yeqifu organization to expedite the issuance of a security fix

Generated by OpenCVE AI on April 17, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Sat, 07 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:33:32.862Z

Reserved: 2026-02-06T14:16:00.975Z

Link: CVE-2026-2106

cve-icon Vulnrichment

Updated: 2026-02-10T15:59:55.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T18:15:47.310

Modified: 2026-02-10T15:13:15.323

Link: CVE-2026-2106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses