VYPR
← All advisories
Medium severity4.7NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-10070

CVE-2026-10070

Description

A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper authorization in /admin/update/ of macrozheng mall up to 1.0.3 allows remote exploitation of super admin password handler.

Vulnerability

The vulnerability exists in the super admin password handler at /admin/update/ in macrozheng mall versions up to and including 1.0.3 [1]. The endpoint fails to properly verify authorization, allowing unauthenticated manipulation of the admin password [2].

Exploitation

An attacker can exploit the flaw remotely by sending crafted HTTP requests to /admin/update/ without requiring authentication or user interaction. The exact payload details are not publicly disclosed, but the attack vector is network-based [2].

Impact

Successful exploitation enables an attacker to change the super admin password, gaining full administrative control over the mall system. This leads to unauthorized access to sensitive data, configuration changes, and potential service disruption [1].

Mitigation

No official fix has been released; the vendor deleted the associated GitHub issue and did not respond to disclosure [2]. Users should restrict network access to the /admin/update/ endpoint or implement additional authorization checks, such as requiring current password confirmation [1].

References
  1. GitHub - macrozheng/mall: mall项目是一套电商系统,包括前台商城系统及后台管理系统,基于Spring Boot+MyBatis实现,采用Docker容器化部署。 前台商城系统包含首页门户、商品推荐、商品搜索、商品展示、购物车、订单流程、会员中心、客户服务、帮助中心等模块。 后台管理系统包含商品管理、订单管理、会员管理、促销管理、运营管理、内容管理、统计报表、财务管理、权限管理、设置等模�…
  2. macrozheng/mall

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Macrozheng/Mallreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=1.0.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

0

No linked articles in our index yet.