Description
A weakness has been identified in Z-BlogPHP 1.7.4.3430. This affects the function CheckComment of the file zb_system/function/c_system_event.php of the component Commend Approval Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the CheckComment function of the Commend Approval Handler within Z‑BlogPHP 1.7.4.3430. A flaw in the authorization logic allows an attacker to manipulate comment approval controls, potentially approving comments without proper authorization. The weakness is classified as CWE‑266 and CWE‑285 and, when exploited, could enable an attacker to perform unauthorized actions such as defacement or injecting malicious content through the comment system.

Affected Systems

Z‑BlogPHP version 1.7.4.3430 is affected. The issue appears in the file zb_system/function/c_system_event.php, part of the component handling comment approvals. No other versions or additional products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available, but public exploits have been released, proving the vulnerability is actionable. The flaw can likely be exploited remotely by sending crafted requests to the comment approval endpoint. Although it is not in the CISA KEV catalog, the availability of an exploit and its moderate severity warrant attention.

Generated by OpenCVE AI on May 17, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Z‑BlogPHP to the latest version that removes the improper authorization flaw.
  • If an official patch is not yet available, restrict remote access to the c_system_event.php endpoint by limiting IP addresses or disabling remote comment approval in the configuration.
  • Monitor incoming comment traffic and review approval logs for unauthorized activity to detect early exploitation attempts.

Generated by OpenCVE AI on May 17, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Zblogcn
Zblogcn z-blogphp
Vendors & Products Zblogcn
Zblogcn z-blogphp

Sun, 17 May 2026 10:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Z-BlogPHP 1.7.4.3430. This affects the function CheckComment of the file zb_system/function/c_system_event.php of the component Commend Approval Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Title Z-BlogPHP Commend Approval c_system_event.php CheckComment improper authorization
First Time appeared N
N z-blogphp
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:n:z-blogphp:*:*:*:*:*:*:*:*
Vendors & Products N
N z-blogphp
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

N Z-blogphp
Zblogcn Z-blogphp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T10:30:13.813Z

Reserved: 2026-05-16T12:48:23.909Z

Link: CVE-2026-8747

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T11:16:35.270

Modified: 2026-05-17T11:16:35.270

Link: CVE-2026-8747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:19Z

Weaknesses