Description
A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization
Action: Assess Impact
AI Analysis

Impact

The vulnerability resides in EmployeeController.java of the production_ssm and ssm-erp projects, allowing an attacker to manipulate requests and bypass authorization checks. This flaw is caused by missing or incorrect enforcement of access controls, representing CWE-266 and CWE-285 weaknesses. The attacker can gain unauthorized access to sensitive resources or perform privileged operations, thereby compromising confidentiality, integrity, and potentially availability of the application.

Affected Systems

Affected products include production_ssm and ssm-erp from both feng_ha_ha and megagao. No fixed version information is provided; the projects use a rolling release model and the specific affected commit is identified only by an older Git hash. Users running any pre‑update release before the fix commit are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS score below 1%, this issue is of medium severity and is currently not listed in the CISA KEV catalog, indicating no known widespread exploitation. The attack requires remote interaction but no authentication is mentioned, implying that the flaw can be abused by anonymous users. The risk remains moderate but requires monitoring, as the flaw permits unauthorized actions without a patch.

Generated by OpenCVE AI on April 17, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the project’s issue tracker for a fix commit and upgrade to a version that includes the remediation once it becomes available
  • Restrict access to the EmployeeController endpoints by implementing temporary authorization filters or role checks if the application configuration allows it
  • Continuously monitor application logs and user activity for signs of unauthorized access attempts to the affected controller

Generated by OpenCVE AI on April 17, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Megagao
Megagao production Ssm
Megagao ssm-erp
Vendors & Products Megagao
Megagao production Ssm
Megagao ssm-erp

Sat, 21 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.
Title feng_ha_ha/megagao ssm-erp/production_ssm EmployeeController.java improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Megagao Production Ssm Ssm-erp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-24T15:37:22.550Z

Reserved: 2026-02-20T13:56:17.368Z

Link: CVE-2026-2860

cve-icon Vulnrichment

Updated: 2026-02-24T15:37:15.811Z

cve-icon NVD

Status : Deferred

Published: 2026-02-21T05:17:30.210

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses