Description
A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Published: 2026-03-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch Immediately
AI Analysis

Impact

A flaw in MacCMS 2025.1000.4052 allows attackers to bypass authentication on the Timming.php endpoint of the Timing API. Because this endpoint is reachable remotely, an unauthenticated user can invoke any functionality it exposes, potentially exposing sensitive data or manipulating system state. The vulnerability is an Authentication Failure (CWE-287) and a Missing Authentication (CWE-306).

Affected Systems

MacCMS 2025.1000.4052 is affected. The vulnerability resides in the application/api/controller/Timming.php component. No other affected versions are currently listed.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high impact, while the EPSS score is not available and the vulnerability is not yet listed in CISA KEV. The attack can be performed remotely via the public API. Exploit code is publicly available, increasing the likelihood of real‑world attacks and making this vulnerability a significant risk for organizations running the affected MacCMS version.

Generated by OpenCVE AI on March 23, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MacCMS update that addresses Timming.php authentication, or upgrade to a newer release if a fixed version is released. If an update is not yet available, restrict network access to the Timing API endpoint by IP whitelisting or firewall rules. Monitor web server logs for repeated unauthenticated attempts to the Timming.php endpoint. Finally, verify that the API’s authentication mechanisms are functioning by performing authorized access tests or penetration testing.

Generated by OpenCVE AI on March 23, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 01:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Title MacCMS Timming API Endpoint Timming.php weak authentication
First Time appeared Maccms
Maccms maccms
Weaknesses CWE-287
CWE-306
CPEs cpe:2.3:a:maccms:maccms:*:*:*:*:*:*:*:*
Vendors & Products Maccms
Maccms maccms
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Maccms Maccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T11:56:22.907Z

Reserved: 2026-03-22T08:20:15.860Z

Link: CVE-2026-4562

cve-icon Vulnrichment

Updated: 2026-03-23T11:56:18.221Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T00:16:51.647

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:21Z

Weaknesses