CVE-2026-5031

A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/4m3rr0r/PoCVulDb/issues/15
https://vuldb.com/submit/778530
https://vuldb.com/vuln/353953
https://vuldb.com/vuln/353953/cti

Configurations

No configuration.

History

24 Apr 2026, 16:36

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad en BichitroGan ISP Billing Software 2025.3.20. Afecta a una función desconocida del archivo /?_route=settings/users-view/ del componente Endpoint. La manipulación del argumento ID resulta en un control inadecuado de los identificadores de recursos. El ataque puede ser lanzado remotamente. El exploit ha sido hecho público y podría ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera.

29 Mar 2026, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-29 05:15

Updated : 2026-04-29 01:00

NVD link : CVE-2026-5031

Mitre link : CVE-2026-5031

CVE.ORG link : CVE-2026-5031

JSON object : View

Products Affected

No product.

CWE

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

{"id": "CVE-2026-5031", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-29T05:15:55.957", "references": [{"url": "https://github.com/4m3rr0r/PoCVulDb/issues/15", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/submit/778530", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/vuln/353953", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/vuln/353953/cti", "source": "cna@vuldb.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-99"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en BichitroGan ISP Billing Software 2025.3.20. Afecta a una funci\u00f3n desconocida del archivo /?_route=settings/users-view/ del componente Endpoint. La manipulaci\u00f3n del argumento ID resulta en un control inadecuado de los identificadores de recursos. El ataque puede ser lanzado remotamente. El exploit ha sido hecho p\u00fablico y podr\u00eda ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "lastModified": "2026-04-29T01:00:01.613", "sourceIdentifier": "cna@vuldb.com"}