CVE-2026-3738
Received Received - Intake
Improper Authorization in SourceCodester Pet Grooming Financial Report

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the component Financial Report Page. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3738
EUVD
EUVD-2026-10241
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mayurik pet_grooming_management_software 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3738 is an improper authorization vulnerability in SourceCodester Pet Grooming Management Software version 1.0, specifically affecting the Financial Report Page component.

The software fails to enforce server-side role-based access control on financial reporting endpoints, allowing low-privileged authenticated users to access sensitive financial data without proper validation of their user roles.

This means that users who should not have access to financial reports such as tax reports, profit reports, invoice details, and user reports can view this confidential information.

The vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available.

Impact Analysis

This vulnerability can lead to unauthorized access to confidential financial information, including tax reports, profit reports, invoice details, and user reports.

Such exposure can result in leakage of business intelligence and unauthorized visibility into operational metrics.

It violates the principle of least privilege by allowing low-privileged users to access sensitive data.

The flaw impacts the confidentiality, integrity, and availability of the system.

Since the exploit is publicly available and remote exploitation is possible, attackers can easily abuse this vulnerability to gain unauthorized access.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by verifying if low-privileged authenticated users can access financial report pages without proper authorization.

To test this, an authenticated user with limited privileges can attempt to access URLs related to financial reports such as /view_order.php, /user_report.php, /profit_report.php, /stock_report.php, /sale_report.php, /pending_amout.php, and /tax.php.

If these pages are accessible and display sensitive financial data without proper role validation, the vulnerability is present.

Suggested commands include using curl or wget to simulate requests as a low-privileged user to these endpoints, for example:

  • curl -b cookies.txt https://targetsite.com/view_order.php
  • curl -b cookies.txt https://targetsite.com/user_report.php
  • curl -b cookies.txt https://targetsite.com/profit_report.php

Here, cookies.txt contains the session cookie of a low-privileged authenticated user.

Mitigation Strategies

Currently, no known countermeasures or mitigations exist for this vulnerability.

It is suggested to consider replacing the affected software with an alternative product that properly enforces role-based access control.

As an immediate step, restrict access to the financial report pages to only trusted users or isolate the affected system from untrusted networks if possible.

Monitoring and logging access to these sensitive endpoints can also help detect unauthorized access attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart