Description
A vulnerability was identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This issue affects the function addSales/updateSales/deleteSales of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\SalesController.java of the component Sales Endpoint. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Access Control in Sales Deletion
Action: Assess Impact
AI Analysis

Impact

The vulnerability is an improper access control flaw affecting the deleteSales endpoint in the SalesController of yeqifu warehouse. The description indicates that the flaw could allow deletion of sales records without proper authorization (inferred). That could lead to loss of data integrity and availability. The weakness is characterized as CWE-266 and CWE-284, reflecting improper privilege management and insufficient access control.

Affected Systems

The flaw impacts all versions of yeqifu warehouse up to commit aaf29962ba407d22d991781de28796ee7b4670e4. Because the project follows a rolling release model, specific version numbers are not listed, but any instance running code prior to that commit is vulnerable. The affected component is the Sales Endpoint in the SalesController class.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The description indicates that attackers can exploit the flaw remotely via the exposed HTTP endpoint; the lack of explicit access‑control enforcement is implied (inferred), so the potential to delete records depends on the existing authorization checks in place.

Generated by OpenCVE AI on April 18, 2026 at 11:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enforce strict role‑based authentication and authorization on the deleteSales endpoint so that only privileged users can perform delete operations.
  • Temporarily restrict the deleteSales endpoint to authorized users until an official patch is released.
  • Deploy a WAF rule or network filter that blocks DELETE requests to the /sales path from untrusted IP ranges.
  • Monitor application logs for unauthorized delete attempts and alert on repeated failures.

Generated by OpenCVE AI on April 18, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Wed, 25 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Fri, 20 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This issue affects the function addSales/updateSales/deleteSales of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\SalesController.java of the component Sales Endpoint. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Sales Endpoint SalesController.java deleteSales access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-24T14:39:05.081Z

Reserved: 2026-02-20T09:00:55.867Z

Link: CVE-2026-2852

cve-icon Vulnrichment

Updated: 2026-02-24T14:38:59.398Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T19:23:15.250

Modified: 2026-02-26T20:43:49.660

Link: CVE-2026-2852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses