Description
A vulnerability was determined in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addInport/updateInport/deleteInport of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\InportController.java of the component Inport Endpoint. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper access control enables remote deletion and modification of inport data
Action: Mitigate
AI Analysis

Impact

The vulnerability is an improper access control flaw in yeqifu’s Inport endpoint, specifically in the addInport, updateInport, and deleteInport functions. An attacker can remotely send HTTP requests to these endpoints and bypass authentication checks, allowing them to delete or modify inventory data without authorization. The flaw aligns with CWE‑266 and CWE‑284, undermining data integrity and potentially disrupting warehouse operations.

Affected Systems

Yeqifu warehouse, an open‑source inventory management system hosted at github.com/yeqifu/warehouse. The affected code is present in all releases up to commit aaf29962ba407d22d991781de28796ee7b4670e4. Because the project employs a rolling‑release model, specific version numbers are not supplied; administrators should examine the commit history or query the GitHub repository for the latest fix.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, and the EPSS score is below 1 % suggesting a very low probability of observed exploitation in the wild. The vulnerability is exploitable remotely via HTTP requests and is publicly disclosed, but no KEV listing indicates it has not yet been widely leveraged. While the risk remains moderate, the lack of a public patch and the potential for data loss warrant proactive mitigation. The likely attack vector is unauthorized remote access to the Inport endpoints without proper authentication.

Generated by OpenCVE AI on April 17, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Retrieve and deploy the latest commit from the yeqifu/warehouse GitHub repository that resolves the access‑control issue; ensure the hosts are running a vulnerable commit.
  • Limit exposure of the Inport endpoint to authenticated users only by implementing role‑based access controls or firewalls that restrict traffic to trusted networks.
  • Enable comprehensive logging of all delete and update actions on the Inport endpoint and alert on any unauthorized activity.

Generated by OpenCVE AI on April 17, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addInport/updateInport/deleteInport of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\InportController.java of the component Inport Endpoint. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Inport Endpoint InportController.java deleteInport access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-20T18:55:11.782Z

Reserved: 2026-02-20T09:00:52.511Z

Link: CVE-2026-2851

cve-icon Vulnrichment

Updated: 2026-02-20T18:55:04.092Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T18:25:54.170

Modified: 2026-02-26T02:39:33.243

Link: CVE-2026-2851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses