CVE-2026-21854

{"id": "CVE-2026-21854", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-21854", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-01-07T18:40:33.171789Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "the-hideout", "product": "tarkov-data-manager", "versions": [{"status": "affected", "version": "<= 2.0.0"}]}]}], "published": "2026-01-07T19:15:57.267", "references": [{"url": "https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-843"}, {"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities."}, {"lang": "es", "value": "El Tarkov Data Manager es una herramienta para gestionar los datos de los \u00edtems de Tarkov. Antes del 02 de enero de 2025, una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en el endpoint de inicio de sesi\u00f3n permite a cualquier usuario no autenticado obtener acceso de administrador completo al panel de administraci\u00f3n del Tarkov Data Manager explotando una vulnerabilidad de acceso a propiedades de prototipo de JavaScript, combinada con la coerci\u00f3n de tipo de igualdad flexible. Una serie de commits de correcci\u00f3n el 02 de enero de 2025 solucion\u00f3 esta y otras vulnerabilidades."}], "lastModified": "2026-06-17T10:19:02.067", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BED0E5B-BD43-4202-930F-9931EC05570C", "versionEndExcluding": "2025-01-02"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}