CVE-2026-3977

A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch.

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/projectsend/projectsend/
https://github.com/projectsend/projectsend/commit/35dfd6f08f7d517709c77ee73e57367141107e6b
https://github.com/projectsend/projectsend/issues/1525
https://github.com/projectsend/projectsend/issues/1525#issuecomment-3957109914
https://vuldb.com/?ctiid.350412
https://vuldb.com/?id.350412

Configurations

No configuration.

History

12 Mar 2026, 21:07

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de seguridad ha sido detectada en projectsend hasta r1945. El elemento afectado es una función desconocida del componente AJAX Endpoints. La manipulación conduce a una falta de autorización. El ataque puede ser iniciado remotamente. El identificador del parche es 35dfd6f08f7d517709c77ee73e57367141107e6b. Para solucionar este problema, se recomienda desplegar un parche.

12 Mar 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-12 04:16

Updated : 2026-03-12 21:07

NVD link : CVE-2026-3977

Mitre link : CVE-2026-3977

CVE.ORG link : CVE-2026-3977

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

CWE-863

Incorrect Authorization

{"id": "CVE-2026-3977", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-12T04:16:39.867", "references": [{"url": "https://github.com/projectsend/projectsend/", "source": "cna@vuldb.com"}, {"url": "https://github.com/projectsend/projectsend/commit/35dfd6f08f7d517709c77ee73e57367141107e6b", "source": "cna@vuldb.com"}, {"url": "https://github.com/projectsend/projectsend/issues/1525", "source": "cna@vuldb.com"}, {"url": "https://github.com/projectsend/projectsend/issues/1525#issuecomment-3957109914", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.350412", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.350412", "source": "cna@vuldb.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en projectsend hasta r1945. El elemento afectado es una funci\u00f3n desconocida del componente AJAX Endpoints. La manipulaci\u00f3n conduce a una falta de autorizaci\u00f3n. El ataque puede ser iniciado remotamente. El identificador del parche es 35dfd6f08f7d517709c77ee73e57367141107e6b. Para solucionar este problema, se recomienda desplegar un parche."}], "lastModified": "2026-03-12T21:07:53.427", "sourceIdentifier": "cna@vuldb.com"}