CVE Catalog

CVE-2026-54415

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Summary

Missing authorization in the server management routes in Azuriom CMS before version 1.2.11 allows an authenticated attacker with admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses.

Risk Assessment

An attacker can gain full control over user accounts, leading to serious security breaches and data loss within the organization.

Recommendation

It is recommended to update Azuriom CMS to version 1.2.11 or later to mitigate this vulnerability and review user permissions in the system.

Original NVD description (English source)

Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS