CVE-2026-5251

MEDIUM 6.3

z-9527 admin User Update Endpoint user.js dynamically-determined object attributes

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-915 CWE-913
Vendor	z-9527
Product	admin
Published	Apr 1, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for z-9527 admin

Be the first to know when new medium vulnerabilities affecting z-9527 admin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

z-9527 / admin

1.0 2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/354441 vuldb.com: https://vuldb.com/vuln/354441/cti vuldb.com: https://vuldb.com/submit/780607 github.com: https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-11

Credits

VulDB