Description
A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor deleted the GitHub issue for this vulnerability without any explanation.
Problem types
Improper Control of Resource Identifiers
Product status
1.0.1
1.0.2
1.0.3
Timeline
| 2026-07-09: | Advisory disclosed |
| 2026-07-09: | VulDB entry created |
| 2026-07-09: | VulDB entry last update |
Credits
peanutbutter (VulDB User)
VulDB CNA Team
References
vuldb.com/vuln/377112 (VDB-377112 | macrozheng mall Portal Endpoint create resource injection)
vuldb.com/vuln/377112/cti (VDB-377112 | CTI Indicators (IOB, IOC, IOA))
vuldb.com/cve/CVE-2026-15186 (CVE-2026-15186 | CVE Analysis and Report)
vuldb.com/submit/851347 (Submit #851347 | macrozheng mall 1.0.3 Insecure Direct Object Reference)
github.com/macrozheng/mall/issues/977
github.com/macrozheng/mall/