CVE-2026-10285
MEDIUMDevaslanPHP project-management <= 2.0.0-beta1 - Improper Authorization in KanbanScrumHelper Ticket Handler
Title source: llmDescription
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet.
References (6)
Core 6
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/vuln/367578
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/vuln/367578/cti
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/cve/CVE-2026-10285
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/submit/825475
Issue Tracking broken-link
issue-tracking
https://github.com/devaslanphp/project-management/issues/141
Various Sources broken-link
product
https://github.com/devaslanphp/project-management/
Scores
CVSS v3
5.4
EPSS
0.0023
EPSS Percentile
13.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-266
CWE-285
Status
published
Products (1)
DevaslanPHP/project-management
2.0.0-beta1
Published
Jun 01, 2026
Tracked Since
Jun 02, 2026