5.3

CVE-2026-34372

Sulu checks fix permissions for subentities endpoints

Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SuluSulu Version >= 1.0.0 < 2.6.22
SuluSulu Version >= 3.0.0 < 3.0.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.168
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 2.7 1.2 1.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com 5.3 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp
Vendor Advisory
https://github.com/sulu/sulu/releases/tag/2.6.22
Product
Release Notes
https://github.com/sulu/sulu/releases/tag/3.0.5
Product
Release Notes