CVE-2026-28761

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. The flaw allows an attacker to trick an authenticated user into executing unintended actions without their consent, as the application does not properly validate or enforce anti-CSRF tokens during sensitive operations [1].

Exploitation

Conditions

Exploitation requires the victim to be logged into the affected product and to visit a malicious page controlled by the attacker. No prior authentication is needed for the attacker, but user interaction is mandatory. The attack can be launched remotely over the network, leveraging the victim's active session to perform actions on their behalf [1].

Impact

If successfully exploited, an attacker can perform unexpected operations within the context of the victim's session. This could lead to unauthorized information disclosure or modification of data, depending on the privileges of the logged-in user. The CVSS v3 base score is 8.1 (High), reflecting the potential for significant confidentiality and integrity impact [1].

Mitigation

The vendor, Fujitsu Japan Limited, has released version V4L1 rev2603.1 which addresses this vulnerability. Users are advised to update to the latest version as soon as possible. No workarounds have been provided [1].