CVE-2026-3761 - Vulnerability Details

- SourceCodester Client Database Management System Endpoint superadmin_user_delete.php improper authorization

Description

A flaw has been found in SourceCodester Client Database Management System 1.0. This issue affects some unknown processing of the file /superadmin_user_delete.php of the component Endpoint. Executing a manipulation of the argument user_id can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used.

Published: 2026-03-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper authorization in the /superadmin_user_delete.php endpoint of SourceCodester Client Database Management System 1.0 permits manipulation of the user_id parameter to delete arbitrary user accounts. This flaw can lead to unauthorized data loss and it maps to CWE-266 and CWE-285.

Affected Systems

The vulnerability affects SourceCodester’s Client Database Management System version 1.0, specifically the superadmin_user_delete.php component of the Endpoint directory. No other variants or versions are listed as affected.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, while the EPSS score of less than 1 % denotes a low current exploitation probability and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities list. The description states the attack may be performed from remote; the flaw indicates improper authorization, meaning an attacker lacking sufficient privileges could delete accounts, though it is not clear whether authentication is required. An exploit has already been published, so the risk remains moderate with low likelihood of exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Client Database Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:lerouxyxchire:client_database_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Sourcecodester

Client Database Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any available vendor patch for Client Database Management System 1.0 that addresses the improper authorization in the superadmin_user_delete.php endpoint, if such a patch has been released.
Restrict access to the superadmin_user_delete.php endpoint by enforcing authentication and role‑based access controls, ensuring that only legitimate superadmin sessions can send delete requests and validating the user_id parameter against authorized accounts.
If a patch is not yet released, disable or restrict the delete endpoint, require manual approval for user deletions, and monitor application logs for unauthorized deletion attempts.

Generated by OpenCVE AI on April 18, 2026 at 09:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://gist.github.com/Adarshh-A/dd8884d768d9dde9072fe5efce453824
https://vuldb.com/?ctiid.349739
https://vuldb.com/?id.349739
https://vuldb.com/?submit.768120
https://www.sourcecodester.com/

History

Fri, 13 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lerouxyxchire Lerouxyxchire client Database Management System
CPEs		cpe:2.3:a:lerouxyxchire:client_database_management_system:1.0:::::::*
Vendors & Products		Lerouxyxchire Lerouxyxchire client Database Management System

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester client Database Management System
Vendors & Products		Sourcecodester Sourcecodester client Database Management System

Sun, 08 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in SourceCodester Client Database Management System 1.0. This issue affects some unknown processing of the file /superadmin_user_delete.php of the component Endpoint. Executing a manipulation of the argument user_id can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used.
Title		SourceCodester Client Database Management System Endpoint superadmin_user_delete.php improper authorization
Weaknesses		CWE-266 CWE-285
References		https://gist.github.com/Adarshh-A/dd8884d768d9dde9072fe5efce453824 https://vuldb.com/?ctiid.349739 https://vuldb.com/?id.349739 https://vuldb.com/?submit.768120 https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Lerouxyxchire Client Database Management System

Sourcecodester Client Database Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-08T18:32:11.412Z

Updated: 2026-03-11T19:23:35.033Z

Reserved: 2026-03-07T20:42:10.785Z

Link: CVE-2026-3761

Vulnrichment

Updated: 2026-03-11T19:23:30.447Z

NVD

Status : Analyzed

Published: 2026-03-08T19:16:01.387

Modified: 2026-03-09T15:06:14.133

Link: CVE-2026-3761

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object