CVE-2026-4514

MEDIUM

PbootCMS Backend UserController.php access control

Title source: cna

Description

A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. The attack may be performed from remote. The exploit has been published and may be used.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-352079 | PbootCMS Backend UserController.php access control

https://vuldb.com/?id.352079

Signature, Permissions Required signature permissions-required

VDB-352079 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.352079

Third Party Advisory third-party-advisory

Submit #773907 | 翱云科技 PbootCMS 3.2.12 Backend Arbitrary Field Modification via field and value Paramet

https://vuldb.com/?submit.773907

Exploit exploit

https://github.com/zzj-create/cvetest/blob/main/VULN-06_BACKEND_ARBITRARY_FIELD_MODIFICATION_REPORT_EN.md#vuln-06-pbootcms-3212-backend-arbitrary-field-modification

View Exploit ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0020

EPSS Percentile 10.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-284

Status published

Products (13)

n/a/PbootCMS 3.2.0

n/a/PbootCMS 3.2.1

n/a/PbootCMS 3.2.10

n/a/PbootCMS 3.2.11

n/a/PbootCMS 3.2.12

n/a/PbootCMS 3.2.2

n/a/PbootCMS 3.2.3

n/a/PbootCMS 3.2.4

n/a/PbootCMS 3.2.5

n/a/PbootCMS 3.2.6

... and 3 more

Published Mar 21, 2026

Tracked Since Mar 21, 2026