Description
Cross-site request forgery vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a user views a malicious page while logged-in to the affected product, unexpected operations may be done.
Published: 2026-05-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery vulnerability exists in Fujitsu’s Musetheque V4 Information Disclosure for IPKNOWLEDGE releases V4L1 rev2203.0 and earlier. The description states that a logged‑in user who views a malicious web page may trigger unexpected operations, implying that the application accepts state‑changing requests without protecting against CSRF. This lack of protection could let an attacker alter data, perform administrative actions, or otherwise manipulate the user’s account without the user’s explicit intention.

Affected Systems

The affected product is Fujitsu Japan Limited’s Musetheque V4 Information Disclosure for IPKNOWLEDGE, specifically version V4L1 rev2203.0 and all prior releases. No other vendors, products, or newer versions are mentioned as affected.

Risk and Exploitability

The flaw registers a CVSS score of 8.5, indicating high severity. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog. While the exact exploitation probability is unknown, the likely attack vector is an external web page that a logged‑in user may visit; such a page would issue requests to the target application. Based on the description it is inferred that no CSRF token validation is performed, making the exploitation path straightforward for a motivated adversary.

Generated by OpenCVE AI on May 15, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Musetheque V4 Information Disclosure for IPKNOWLEDGE releases newer than V4L1 rev2203.0 to eliminate the vulnerability.
  • If an upgrade is not immediately possible, configure the application to validate CSRF tokens for all state‑changing requests, rejecting any requests that lack a valid token.
  • Enforce SameSite cookie attributes and same‑origin request policies to reduce the likelihood that a malicious site can initiate cross‑site requests to the application.

Generated by OpenCVE AI on May 15, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://jvn.jp/en/jp/JVN69128376/ cve-icon cve-icon
History

Fri, 15 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 07:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Fujitsu Musetheque V4 Allowing Unwanted Operations

Fri, 15 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description Cross-site request forgery vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a user views a malicious page while logged-in to the affected product, unexpected operations may be done.
Weaknesses CWE-352
References
Metrics cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-15T11:10:12.778Z

Reserved: 2026-04-06T01:20:25.164Z

Link: CVE-2026-28761

cve-icon Vulnrichment

Updated: 2026-05-15T11:10:07.912Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T06:16:20.213

Modified: 2026-05-15T14:30:03.170

Link: CVE-2026-28761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T07:00:10Z

Weaknesses