Home

Description

A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch.

PUBLISHED Reserved 2026-03-11 | Published 2026-03-12 | Updated 2026-03-12 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C

Problem types

Missing Authorization

Incorrect Authorization

Timeline

2026-03-11:Advisory disclosed
2026-03-11:VulDB entry created
2026-03-11:VulDB entry last update

Credits

VulDB GitHub Commit Analyzer tool

References

vuldb.com/?id.350412 (VDB-350412 | projectsend AJAX Endpoints authorization) vdb-entry

vuldb.com/?ctiid.350412 (VDB-350412 | CTI Indicators (IOB, IOC)) signature permissions-required

github.com/projectsend/projectsend/issues/1525 issue-tracking

github.com/projectsend/projectsend/issues/1525 issue-tracking

github.com/...ommit/35dfd6f08f7d517709c77ee73e57367141107e6b patch

github.com/projectsend/projectsend/ product

cve.org (CVE-2026-3977)

nvd.nist.gov (CVE-2026-3977)

Download JSON