CVE-2026-44987

Source
https://cve.org/CVERecord?id=CVE-2026-44987
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44987.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44987
Aliases
  • GHSA-6x8f-v3cf-cvr3
Published
2026-05-08T21:59:12.204Z
Modified
2026-07-08T08:13:29.429807270Z
Severity
  • 3.8 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
SysReptor: Privilege Escalation from User Admin to Superuser
Details

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44987.json"
}
References

Affected packages

Git / github.com/syslifters/sysreptor

Affected ranges

Type
GIT
Repo
https://github.com/syslifters/sysreptor
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2026.29"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.101
0.102
0.110
0.83
0.87
0.89
0.95
0.96
2023.*
2023.114
2023.119
2023.122
2023.128
2023.136
2023.142
2023.145
2024.*
2024.1
2024.10
2024.13
2024.16
2024.19
2024.20
2024.28
2024.29
2024.3
2024.30
2024.40
2024.43
2024.49
2024.55
2024.57
2024.58
2024.60
2024.61
2024.63
2024.68
2024.69
2024.70
2024.74
2024.79
2024.8
2024.81
2024.91
2024.96
2025.*
2025.102
2025.104
2025.108
2025.110
2025.12
2025.20
2025.25
2025.29
2025.37
2025.4
2025.43
2025.50
2025.56
2025.64
2025.69
2025.74
2025.80
2025.81
2025.83
2025.90
2025.94
2025.96
2026.*
2026.1
2026.12
2026.18
2026.21
2026.25
2026.27
2026.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44987.json"