Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-15752: Missing Authorization in zhinianboke xianyu-auto-reply

0
Medium
VulnerabilityCVE-2026-15752cvecve-2026-15752
Published: 07/14/2026 (07/14/2026, 22:15:12 UTC)
Source: CVE Database V5
Vendor/Project: zhinianboke
Product: xianyu-auto-reply

Description

CVE-2026-15752 is a medium severity vulnerability in the zhinianboke xianyu-auto-reply product affecting the backend user endpoint at /api/v1/users/. It allows remote attackers to bypass authorization due to missing authorization checks. The product uses a rolling release model, so specific affected versions are not clearly identified. A patch identified by commit 19fc3282a1bb78a05c34945c088525d20e081cbd is recommended to fix the issue.

CVSS v4.0

Score 6.9medium

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
Low
Vuln. Integrity
Low
Vuln. Availability
Low
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Affected software

CPE configurations
cpe:2.3:a:zhinianboke:xianyu-auto-reply:*:*:*:*:*:*:*:*

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 22:48:03 UTC

Technical Analysis

This vulnerability in zhinianboke xianyu-auto-reply up to commit dcb445ad97816ad65299a7580ee0c8c8f929da84 involves missing authorization in an unknown function within the backend user endpoint (/api/v1/users/). The flaw allows remote attackers to perform unauthorized actions. The product is delivered via a rolling release model, which complicates exact version identification. A patch exists (commit 19fc3282a1bb78a05c34945c088525d20e081cbd) and applying it is the recommended remediation.

Potential Impact

The vulnerability enables remote attackers to bypass authorization controls, potentially allowing unauthorized access or actions on the backend user endpoint. This could lead to unauthorized data access or manipulation depending on the backend functionality exposed by the endpoint.

Mitigation Recommendations

A patch identified by commit 19fc3282a1bb78a05c34945c088525d20e081cbd is available and should be applied to remediate the vulnerability. Since the product uses a rolling release model, users should update to the latest version containing this patch. Patch status is not explicitly confirmed beyond this, so checking the vendor's advisory or repository for the patch application is recommended.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
VulDB
Date Reserved
2026-07-14T15:51:25.852Z
Cvss Version
4.0
State
PUBLISHED
Remediation Level
null

Threat ID: 6a56b92768715ace4351a78f

Added to database: 07/14/2026, 22:33:11 UTC

Last enriched: 07/14/2026, 22:48:03 UTC

Last updated: 07/14/2026, 22:49:12 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses