Description
A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in cross-site request forgery. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-23
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site request forgery enabling unauthorized actions
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the loginSubmit API of kalcaddle kodbox 1.64, where tampering with the third argument triggers a CSRF condition that an attacker can exploit remotely. The vendor was notified but did not respond, and the exploit code is publicly available. A successful exploitation would let an adversary force a victim’s browser to submit requests that the service will accept as legitimate, potentially altering or deleting data, changing user settings, or escalating privileges, depending on the target function exposed by the API.

Affected Systems

Kalcaddle’s Kodbox 1.64 is affected. The vulnerability is located in the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php, part of the loginSubmit API. No other affected versions are disclosed.

Risk and Exploitability

The CVSS score of 2.3 suggests low severity, but the public availability of the exploit and the remote nature of the attack raise concern. EPSS data is not provided and the vulnerability is not listed in the CISA KEV catalog. The attack likely requires the victim to be authenticated to the site, making it an authenticated CSRF scenario. The owner of the affected service can mitigate risk by applying a patch or making the API resistant to unauthorized request forging.

Generated by OpenCVE AI on March 23, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if a security update for Kodbox 1.64 is available and apply it immediately.
  • If no patch exists, upgrade to a newer Kodbox release that does not expose the vulnerable API.
  • Add or enforce a CSRF token check on the loginSubmit endpoint to ensure that only legitimate requests are processed.
  • Restrict the API to require a custom request header or secret token that a simple browser cannot supply.
  • Monitor application logs for unexpected POST requests to the loginSubmit endpoint and block offending IP addresses.
  • Validate or sanitize the third argument server‑side to prevent forged submissions.

Generated by OpenCVE AI on March 23, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kalcaddle
Kalcaddle kodbox
Vendors & Products Kalcaddle
Kalcaddle kodbox

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in cross-site request forgery. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title kalcaddle kodbox loginSubmit API index.class.php cross-site request forgery
Weaknesses CWE-352
CWE-862
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kalcaddle Kodbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T16:38:12.165Z

Reserved: 2026-03-22T11:40:26.756Z

Link: CVE-2026-4590

cve-icon Vulnrichment

Updated: 2026-03-23T16:15:41.419Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T15:16:36.187

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:27:59Z

Weaknesses