Description
A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. The attack may be performed from remote. The exploit has been published and may be used.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization
Action: Immediate Patch
AI Analysis

Impact

PbootCMS versions up to 3.2.12 contain a flaw in the UserController.php component that permits remote manipulation of the Field argument. This weakness allows an attacker to alter arbitrary user data or configuration settings, bypassing the intended access controls and potentially enabling privilege escalation or unauthorized data modification. The vulnerability is classified under CWE‑266 and CWE‑284, indicating problems with authority management and improper access control.

Affected Systems

The affected product is PbootCMS, specifically all releases up to and including 3.2.12. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS v3.1 score is 5.3, representing a medium severity. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting it may not be actively exploited in the wild. Nonetheless, an exploit has been published and the attack can be carried out remotely, likely by sending crafted requests to the backend API. The lack of explicit authentication requirements in the description means the risk may vary depending on the deployment’s exposure, but a remote attacker with access to the backend portal could leverage this weakness.

Generated by OpenCVE AI on March 21, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PbootCMS to version 3.2.13 or newer.

Generated by OpenCVE AI on March 21, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. The attack may be performed from remote. The exploit has been published and may be used.
Title PbootCMS Backend UserController.php access control
First Time appeared Pbootcms
Pbootcms pbootcms
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:pbootcms:pbootcms:*:*:*:*:*:*:*:*
Vendors & Products Pbootcms
Pbootcms pbootcms
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Pbootcms Pbootcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T16:44:51.027Z

Reserved: 2026-03-20T14:35:02.637Z

Link: CVE-2026-4514

cve-icon Vulnrichment

Updated: 2026-03-23T16:44:44.532Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T11:17:06.723

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-4514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:15Z

Weaknesses