CVE-2026-3977

MEDIUM

ProjectSend <r1945 - Auth Bypass

Title source: llm

Description

A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch.

References (6)

[Various Sources] https://github.com/projectsend/projectsend/

[Patch] https://github.com/projectsend/projectsend/commit/35dfd6f08f7d517709c77ee73e57367141107e6b

[Issue Tracking] https://github.com/projectsend/projectsend/issues/1525

[Issue Tracking] https://github.com/projectsend/projectsend/issues/1525#issuecomment-3957109914

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.350412

[Permissions Required, VDB Entry] https://vuldb.com/?id.350412

Scores

CVSS v3 6.3

EPSS 0.0005

EPSS Percentile 14.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-862 CWE-863

Status published

Products (1)

n/a/projectsend r1945

Published Mar 12, 2026

Tracked Since Mar 12, 2026