CVE-2026-3738
Improper Authorization in SourceCodester Pet Grooming Financial Report
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayurik | pet_grooming_management_software | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3738 is an improper authorization vulnerability in SourceCodester Pet Grooming Management Software version 1.0, specifically affecting the Financial Report Page component.
The software fails to enforce server-side role-based access control on financial reporting endpoints, allowing low-privileged authenticated users to access sensitive financial data without proper validation of their user roles.
This means that users who should not have access to financial reports such as tax reports, profit reports, invoice details, and user reports can view this confidential information.
The vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to confidential financial information, including tax reports, profit reports, invoice details, and user reports.
Such exposure can result in leakage of business intelligence and unauthorized visibility into operational metrics.
It violates the principle of least privilege by allowing low-privileged users to access sensitive data.
The flaw impacts the confidentiality, integrity, and availability of the system.
Since the exploit is publicly available and remote exploitation is possible, attackers can easily abuse this vulnerability to gain unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if low-privileged authenticated users can access financial report pages without proper authorization.
To test this, an authenticated user with limited privileges can attempt to access URLs related to financial reports such as /view_order.php, /user_report.php, /profit_report.php, /stock_report.php, /sale_report.php, /pending_amout.php, and /tax.php.
If these pages are accessible and display sensitive financial data without proper role validation, the vulnerability is present.
Suggested commands include using curl or wget to simulate requests as a low-privileged user to these endpoints, for example:
- curl -b cookies.txt https://targetsite.com/view_order.php
- curl -b cookies.txt https://targetsite.com/user_report.php
- curl -b cookies.txt https://targetsite.com/profit_report.php
Here, cookies.txt contains the session cookie of a low-privileged authenticated user.
What immediate steps should I take to mitigate this vulnerability?
Currently, no known countermeasures or mitigations exist for this vulnerability.
It is suggested to consider replacing the affected software with an alternative product that properly enforces role-based access control.
As an immediate step, restrict access to the financial report pages to only trusted users or isolate the affected system from untrusted networks if possible.
Monitoring and logging access to these sensitive endpoints can also help detect unauthorized access attempts.