Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
z-9527 Admin Software Can Be Tricked into Changing User Permissions
CVE-2026-5251
Summary
A security flaw in the z-9527 admin software allows an attacker to remotely manipulate user permissions. This could potentially allow unauthorized access to sensitive areas of the software. Users should update to the latest version of the software as soon as possible to protect against this issue.
Original title
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument ...
Original description
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-913
CWE-915
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026