CVE-2026-44987 - Vulnerability Details

Description

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.

Published: 2026-05-08

Score: 3.8 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in SysReptor allows a user with User Admin rights to modify the email addresses of users with Superuser permissions; if the application’s Forgot Password flow is enabled and the target Superuser has no multi‑factor authentication, the attacker can trigger a password reset and subsequently authenticate with superuser privileges. This grants full control of the Django administration interface and the ability to alter system settings and project permissions, effectively elevating the attacker’s authority over all pentest projects. The vulnerability represents a loss of isolation between privilege levels and is formally classified as CWE‑269.

Affected Systems

Syslifters SysReptor versions earlier than 2026.29 are affected; the vulnerability exists in the core reporting platform used for pentest documentation and project management.

Risk and Exploitability

The CVSS score of 3.8 indicates a low severity risk when viewed in isolation, and the EPSS score is not available, implying limited publicly known exploitation activity. The issue is not listed in CISA’s KEV catalog. However, the attack vector, as inferred from the description, is internal: an attacker must already possess User Admin rights. Given that such users can alter Superuser email addresses, the compromise path is straightforward. Once the password is reset, the attacker can assume Superuser privileges, which provides complete administrative control over the platform.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Syslifters

sysreptor

affected

Version	Status	Constraints
`< 2026.29`	affected	—

No data.

Vendor Product Confidence Versions

Syslifters

Sysreptor

100%

Version	Status	Scheme	Platform
`[0,2026.29)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SysReptor to version 2026.29 or later to apply the vendor‑issued fix.
Ensure that all Superuser accounts have multi‑factor authentication enabled and either disable the Forgot Password feature or restrict it so that only true Superusers can use it.
Restrict User Admin permissions to verified personnel and regularly audit assignments.

Generated by OpenCVE AI on May 9, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Syslifters/sysreptor/releases/tag/2026.29
https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3

History

Sat, 09 May 2026 01:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Syslifters Syslifters sysreptor
Vendors & Products		Syslifters Syslifters sysreptor

Fri, 08 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.
Title		SysReptor: Privilege Escalation from User Admin to Superuser
Weaknesses		CWE-269
References		https://github.com/Syslifters/sysreptor/releases/tag/2026.29 https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3
Metrics		cvssV3_1 `{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Syslifters Sysreptor

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T21:59:12.204Z

Updated: 2026-05-08T21:59:12.204Z

Reserved: 2026-05-08T16:23:33.265Z

Link: CVE-2026-44987

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T23:16:39.917

Modified: 2026-05-08T23:16:39.917

Link: CVE-2026-44987

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-09T00:45:21Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object