CVE-2026-8406
HighCVSS 7.1Summary
openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details by supplying an arbitrary mail_id value.
Risk Assessment
This vulnerability may lead to the disclosure of sensitive message information, posing a risk to user privacy and data security within the organization.
Recommendation
It is recommended to upgrade to the latest version of openSIS that addresses this vulnerability and to implement additional access control mechanisms in the messaging module.
Original NVD description (English source)
openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.

