CVE-2026-2549
Published: 16 February 2026
Summary
CVE-2026-2549 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).
Deeper analysis
CVE-2026-2549 is a vulnerability in zhanghuanhao LibrarySystem 图书馆管理系统 versions up to 1.1.1. It stems from improper access controls in an unknown function of the BookController.java file, classified under CWEs 266 (Incorrect Privilege Assignment) and 284 (Improper Access Control). The issue was published on 2026-02-16 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network-accessible nature.
The vulnerability enables remote exploitation without authentication, privileges, or user interaction, allowing attackers to manipulate the affected function over the network with low complexity. Successful attacks can result in low impacts to confidentiality, integrity, and availability, potentially enabling unauthorized access or modifications within the library management system.
Advisories from VulDB and the project's GitHub repository note that the issue was reported early via issue #32, but the maintainers have not responded or issued patches. The exploit has been publicly disclosed and may be actively used, with details available in the referenced GitHub issues and VulDB entries (ctiid.346158, id.346158).
Notable context includes the public availability of the exploit, increasing the risk for unpatched deployments of this open-source library management system.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6103
Vulnerability details
A vulnerability has been found in zhanghuanhao LibrarySystem 图书馆管理系统 up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has…
more
been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control (CWE-284/266) in a network-exposed Java web controller allows unauthenticated remote manipulation with no user interaction, directly matching exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on functions such as those in BookController.java, blocking the unauthorized remote manipulation described in the CVE.
Requires assignment of only the minimum privileges needed, directly countering the incorrect privilege assignment (CWE-266) that enables the flaw.
Mandates authorization and enforcement for all remote access, mitigating the network-exploitable improper access control without authentication.