CVE-2026-54415

HIGH 8.1

Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}).

CWE	CWE-862 CWE-269
Vendor	azuriom
Product	azuriom cms
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for azuriom azuriom cms

Be the first to know when new high vulnerabilities affecting azuriom azuriom cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Azuriom / Azuriom CMS

0 < 1.2.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Azuriom/Azuriom/releases/tag/v1.2.11 github.com: https://github.com/Azuriom/Azuriom/commit/4b744bc0dd11f205f5aa053c6db8a949d3f0608e github.com: https://github.com/Azuriom/Azuriom

Credits

Bobur Abdugafforov Khabibullaev Barkamol