Description
A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch.
Published: 2026-03-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch Now
AI Analysis

Impact

A remote attacker can manipulate an unknown function within ProjectSend’s AJAX Endpoints to bypass authorization checks. By exploiting this missing authorization, an attacker can gain unauthorized access to protected resources, potentially compromising confidentiality and integrity of data. The vulnerability is reflected by CWE-862 and CWE-863 – missing authorization and missing permission checks.

Affected Systems

ProjectSend applications up to revision r1945 are affected. Any deployment running a version of ProjectSend older than the patch containing commit 35dfd6f08f7d517709c77ee73e57367141107e6b is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3 and an EPSS score below 1%, indicating low exploitation probability. It is not listed in the CISA KEV catalog. The attack vector is remote, relying on an unauthenticated request to the vulnerable AJAX endpoint. Given the moderate severity and low exploitation likelihood, the risk is significant enough to warrant patching, but discovery of the vulnerability may be opportunistic.

Generated by OpenCVE AI on March 18, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch for commit 35dfd6f08f7d517709c77ee73e57367141107e6b to a version later than r1945
  • Verify that the ProjectSend installation has been updated to a patched version

Generated by OpenCVE AI on March 18, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch.
Title projectsend AJAX Endpoints authorization
First Time appeared Projectsend
Projectsend projectsend
Weaknesses CWE-862
CWE-863
CPEs cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:*
Vendors & Products Projectsend
Projectsend projectsend
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Projectsend Projectsend
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T16:17:36.867Z

Reserved: 2026-03-11T14:20:26.569Z

Link: CVE-2026-3977

cve-icon Vulnrichment

Updated: 2026-03-12T13:55:24.759Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T04:16:39.867

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-3977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:08Z

Weaknesses