CVE-2026-8406

Source
https://cve.org/CVERecord?id=CVE-2026-8406
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8406.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8406
Published
2026-06-11T13:32:36.738Z
Modified
2026-07-15T01:48:52.049224241Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
openSIS Classic 9.3 - Insecure Direct Object Reference in Sent Mail
Details

openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.

Database specific
{
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8406.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "9.3"
                },
                {
                    "last_affected": "9.3"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "Fluid Attacks"
}
References

Affected packages

Git / github.com/os4ed/opensis-classic

Affected ranges

Type
GIT
Repo
https://github.com/os4ed/opensis-classic
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

V7.*
V7.5
V7.6
V8.*
V8.0
V9.*
V9.0
V9.1
V9.2
Ver7.*
Ver7.0Prod_update
Ver7.0beta1
v7.*
v7.1
v7.2
v7.3
ver7.*
ver7.1
ver7.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8406.json"