Description
A vulnerability was found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected by this vulnerability is an unknown functionality of the file /api/Security/ of the component Security API. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization allowing unauthorized system access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability enables improper authorization in the Security API of the Asp.Net-Core-Inventory-Order-Management-System. By manipulating requests to the /api/Security/ endpoint, an attacker can bypass access controls and gain unauthorized access to protected resources, potentially leading to full system compromise. This flaw manifests as a lack of proper authentication checks, fitting CWE-266 (Improper Privilege Management) and CWE-285 (Improper Authorization).

Affected Systems

Affected product: go2ismail Asp.Net-Core-Inventory-Order-Management-System, versions up to and including 9.20250118. The vulnerability pertains to components within the Security API exposed via the /api/Security/ path. No other vendor or product variants are listed as impacted.

Risk and Exploitability

The severity assigned by CVSS is 5.3, indicating a moderate impact, while the EPSS score is below 1%, reflecting a low but non‑zero likelihood of exploitation in the environment. The vulnerability is not yet present in CISA's KEV catalog. The likely attack vector is remote, as the flaw can be triggered by external request manipulation to the Security API. An attacker would need to construct a crafted request lacking proper authorization, which the system currently fails to validate and which can be performed over the network.

Generated by OpenCVE AI on April 17, 2026 at 14:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade to a non‑vulnerable version as soon as one becomes available.
  • If no patch is available, block external access to the /api/Security/ endpoint using a firewall or network segmentation, restricting it to trusted IP ranges.
  • Implement or enforce role‑based access controls within the application to ensure that only authorized users can invoke the Security API, addressing the underlying CWE‑266 and CWE‑285 weaknesses.

Generated by OpenCVE AI on April 17, 2026 at 14:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:go2ismail:asp.net-core-inventory-order-management-system:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Go2ismail
Go2ismail asp.net-core-inventory-order-management-system
Vendors & Products Go2ismail
Go2ismail asp.net-core-inventory-order-management-system

Thu, 26 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected by this vulnerability is an unknown functionality of the file /api/Security/ of the component Security API. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way.
Title go2ismail Asp.Net-Core-Inventory-Order-Management-System Security API improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Go2ismail Asp.net-core-inventory-order-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-03T14:43:28.975Z

Reserved: 2026-02-26T14:39:16.382Z

Link: CVE-2026-3263

cve-icon Vulnrichment

Updated: 2026-03-03T14:43:24.576Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-02-26T22:20:52.207

Modified: 2026-03-03T00:41:59.543

Link: CVE-2026-3263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses