CVE-2026-10070— macrozheng mall Super Admin Password update improper authorization
Affected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| macrozheng | mall | 1.0.0 | affected |
1.0.1 | affected | ||
1.0.2 | affected | ||
1.0.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10070
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
macrozheng mall Super Admin Password update improper authorization
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| macrozheng | mall | 1.0.0 | cpe:2.3:a:macrozheng:mall:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-10070
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10070
请登录查看更多情报信息。
Proof of Concept for CVE-2026-10070 (1)
- 🔗 GitHub · Where software is builtissue-tracking
Vendor Pages for CVE-2026-10070 (1)
IV. Related Vulnerabilities
Same product: mall
- CVE-2026-25858
macrozheng mall <= 1.0.3 Unauthenticated Password Reset via - CVE-2025-15118
macrozheng mall Member Endpoint update improper authorizatio - CVE-2025-13443
macrozheng mall delete access control - CVE-2025-9836
macrozheng mall paySuccess authorization - CVE-2025-9835
macrozheng mall cancelUserOrder cancelOrder authorization
Same vendor: macrozheng
- CVE-2026-25858
macrozheng mall <= 1.0.3 Unauthenticated Password Reset via - CVE-2025-15118
macrozheng mall Member Endpoint update improper authorizatio - CVE-2025-14016
macrozheng mall-swarm delete improper authorization - CVE-2025-13443
macrozheng mall delete access control - CVE-2025-13118
macrozheng mall-swarm paySuccess improper authorization
Same weakness: CWE-285
- CVE-2026-48810
FreeScout: Thread Edit Authorization Bypass via Missing Mail - CVE-2026-47740
Shopper: Authorization bypass in multiple Livewire admin com - CVE-2026-47713
AnythingLLM: Legacy mobile device tokens bypass multi-user w - CVE-2026-45297
Cross-tenant IDOR on feature-flag and assist-stats routes vi - CVE-2026-47673
Hono: JWT middleware accepts any Authorization scheme, not o
V. Comments for CVE-2026-10070
No comments yet