{"url":"http://public2.vulnerablecode.io/api/packages/73424?format=json","purl":"pkg:composer/pimcore/web2print-tools-bundle@6.0.0-RC1","type":"composer","namespace":"pimcore","name":"web2print-tools-bundle","version":"6.0.0-RC1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.1.1","latest_non_vulnerable_version":"6.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49722?format=json","vulnerability_id":"VCID-zctt-vkvv-2qhj","summary":"Pimcore Web2Print Tools Bundle \"Favourite Output Channel Configuration\" Missing Function Level Authorization\nThe application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing \"Favourite Output Channel Configurations.\" Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This violates the principle of least privilege and constitutes a classic example of Broken Access Control (OWASP Top 10 A01:2021). Because authorization is not validated at the function level, any authenticated user can perform actions intended only for privileged roles, leading to horizontal or vertical privilege escalation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23496","reference_id":"","reference_type":"","scores":[{"value":"1e-05","scoring_system":"epss","scoring_elements":"0.00021","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23496"},{"reference_url":"https://github.com/pimcore/pimcore","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pimcore/pimcore"},{"reference_url":"https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:05:26Z/"}],"url":"https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1"},{"reference_url":"https://github.com/pimcore/web2print-tools/pull/108","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:05:26Z/"}],"url":"https://github.com/pimcore/web2print-tools/pull/108"},{"reference_url":"https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:05:26Z/"}],"url":"https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2"},{"reference_url":"https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:05:26Z/"}],"url":"https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23496","reference_id":"CVE-2026-23496","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23496"},{"reference_url":"https://github.com/advisories/GHSA-4wg4-p27p-5q2r","reference_id":"GHSA-4wg4-p27p-5q2r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4wg4-p27p-5q2r"},{"reference_url":"https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r","reference_id":"GHSA-4wg4-p27p-5q2r","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T18:05:26Z/"}],"url":"https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73425?format=json","purl":"pkg:composer/pimcore/web2print-tools-bundle@6.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/web2print-tools-bundle@6.1.1"}],"aliases":["CVE-2026-23496","GHSA-4wg4-p27p-5q2r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zctt-vkvv-2qhj"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/web2print-tools-bundle@6.0.0-RC1"}