Description
A vulnerability has been found in SourceCodester Client Database Management System 1.0/3.1. Impacted is an unknown function of the file /superadmin_delete_manager.php of the component Endpoint. The manipulation of the argument manager_id leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-03-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper authorization could allow remote deletion of manager accounts.
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the /superadmin_delete_manager.php endpoint of SourceCodester Client Database Management System. The manager_id parameter is not validated against user privileges, enabling an attacker to delete a manager record without holding superadmin rights. This flaw corresponds to CWE‑266 (Broken Access Control) and CWE‑285 (Improper Privilege Management). The direct consequence is loss of data integrity and availability for administrative records; the attacker cannot execute arbitrary code, but can remove legitimate manager accounts, potentially disrupting business processes.

Affected Systems

The affected product is SourceCodester Client Database Management System, versions 1.0 and 3.1. The vulnerability is present in the web‑reachable endpoint of the system distributed by SourceCodester.

Risk and Exploitability

An attacker can exploit the flaw by sending a crafted HTTP request containing an arbitrary manager_id from any remote machine. The EPSS score is below 1%, indicating a low likelihood of exploitation, and the vulnerability is not listed in KEV. Nonetheless, the CVSS score of 6.9 reflects a moderate severity due to the potential for data removal. The attack vector is inferred to be remote via the web interface because the endpoint is publicly reachable. The impact remains confined to the deletion of manager records, which can still destabilize operations if key staff accounts are removed.

Generated by OpenCVE AI on April 16, 2026 at 04:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply the vendor’s latest patch or upgrade to a version that removes the insecure endpoint.
  • If a patch is unavailable, restrict access to /superadmin_delete_manager.php so that only authenticated superadmin users can invoke it by enforcing proper authorization checks.
  • Monitor system logs for repeated or unexpected delete attempts and investigate any unauthorized deletions promptly.

Generated by OpenCVE AI on April 16, 2026 at 04:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Lerouxyxchire
Lerouxyxchire client Database Management System
CPEs cpe:2.3:a:lerouxyxchire:client_database_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Lerouxyxchire
Lerouxyxchire client Database Management System

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester client Database Management System
Vendors & Products Sourcecodester
Sourcecodester client Database Management System

Sun, 08 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Client Database Management System 1.0/3.1. Impacted is an unknown function of the file /superadmin_delete_manager.php of the component Endpoint. The manipulation of the argument manager_id leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Title SourceCodester Client Database Management System Endpoint superadmin_delete_manager.php improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lerouxyxchire Client Database Management System
Sourcecodester Client Database Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T19:21:37.409Z

Reserved: 2026-03-07T20:42:13.334Z

Link: CVE-2026-3762

cve-icon Vulnrichment

Updated: 2026-03-11T19:21:33.110Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-08T19:16:01.593

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:15:24Z

Weaknesses