CVE-2026-2549 - Vulnerability Details

- zhanghuanhao LibrarySystem 图书馆管理系统 BookController.java access control

Description

A vulnerability has been found in zhanghuanhao LibrarySystem 图书馆管理系统 up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-02-16

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the zhanghuanhao LibrarySystem 图书馆管理系统 arises from an incorrect authorization check in the BookController.java module. Attackers can manipulate request parameters to bypass intended access restrictions, thereby gaining privileged access to book‑management functions. The flaw is a classic example of an authorization bypass or improper access control (CWE‑266 and CWE‑284), which threatens the confidentiality and integrity of library catalog data.

Affected Systems

This issue impacts the zhanghuanhao LibrarySystem application in all versions up to and including 1.1.1. Systems that have not upgraded beyond that release are potentially exposed. The vulnerability is limited to the BookController component responsible for handling book‑related requests.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating moderate severity, while the EPSS probability is below 1 percent, pointing to a low chance of exploitation at the time of analysis. It is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. Nonetheless, an attacker with remote access could exploit the flaw, given the absence of response from the project maintainers and the public availability of the exploit code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zhanghuanhao

LibrarySystem 图书馆管理系统

affected

Version	Status	Constraints
`1.1.0`	affected	—
`1.1.1`	affected	—

No data.

Vendor Product Confidence Versions

Zhanghuanhao

Librarysystem

—

Version	Status	Scheme	Platform
`1.1.0`	affected	semver	—
`1.1.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑released patch that addresses the authorization bypass in BookController.java as soon as it becomes available.
Implement temporary network‑level restrictions, such as firewall rules or IP whitelisting, to limit who can reach the BookController endpoints until a patch is applied.
Add or enforce explicit role‑based access checks in the application code, ensuring that only authorized users can perform book‑management actions.
Continuously monitor logs for anomalous privilege‑escalation activity, particularly unexpected requests to book‑management URLs, and investigate any suspicious patterns.

Generated by OpenCVE AI on April 17, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/zhanghuanhao/LibrarySystem/issues/32
https://github.com/zhanghuanhao/LibrarySystem/issues/32#issue-3879640487
https://vuldb.com/?ctiid.346158
https://vuldb.com/?id.346158
https://vuldb.com/?submit.749873

History

Tue, 17 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zhanghuanhao Zhanghuanhao librarysystem
Vendors & Products		Zhanghuanhao Zhanghuanhao librarysystem

Mon, 16 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in zhanghuanhao LibrarySystem 图书馆管理系统 up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		zhanghuanhao LibrarySystem 图书馆管理系统 BookController.java access control
Weaknesses		CWE-266 CWE-284
References		https://github.com/zhanghuanhao/LibrarySystem/issues/32 https://github.com/zhanghuanhao/LibrarySystem/issues/32#issue-3879640487 https://vuldb.com/?ctiid.346158 https://vuldb.com/?id.346158 https://vuldb.com/?submit.749873
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Zhanghuanhao Librarysystem

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-16T09:32:06.062Z

Updated: 2026-02-23T10:08:08.223Z

Reserved: 2026-02-15T16:06:15.489Z

Link: CVE-2026-2549

Vulnrichment

Updated: 2026-02-17T16:54:09.893Z

NVD

Status : Deferred

Published: 2026-02-16T10:16:08.403

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2549

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object