CVE-2026-15186 PUBLISHED

macrozheng mall Portal Endpoint create resource injection

Assigner: VulDB
Reserved: 09.07.2026 Published: 09.07.2026 Updated: 09.07.2026

A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor deleted the GitHub issue for this vulnerability without any explanation.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
CVSS Score: 5.3

Product Status

Vendor macrozheng
Product mall
Versions
  • Version 1.0.0 is affected
  • Version 1.0.1 is affected
  • Version 1.0.2 is affected
  • Version 1.0.3 is affected

Credits

  • peanutbutter (VulDB User) reporter
  • VulDB CNA Team coordinator

References

Problem Types

  • Improper Control of Resource Identifiers CWE