Cyber Resilience

CVE-2026-2549

Medium

Published: 16 February 2026

Published
16 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 19.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2549 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

CVE-2026-2549 is a vulnerability in zhanghuanhao LibrarySystem 图书馆管理系统 versions up to 1.1.1. It stems from improper access controls in an unknown function of the BookController.java file, classified under CWEs 266 (Incorrect Privilege Assignment) and 284 (Improper Access Control). The issue was published on 2026-02-16 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network-accessible nature.

The vulnerability enables remote exploitation without authentication, privileges, or user interaction, allowing attackers to manipulate the affected function over the network with low complexity. Successful attacks can result in low impacts to confidentiality, integrity, and availability, potentially enabling unauthorized access or modifications within the library management system.

Advisories from VulDB and the project's GitHub repository note that the issue was reported early via issue #32, but the maintainers have not responded or issued patches. The exploit has been publicly disclosed and may be actively used, with details available in the referenced GitHub issues and VulDB entries (ctiid.346158, id.346158).

Notable context includes the public availability of the exploit, increasing the risk for unpatched deployments of this open-source library management system.

EU & UK References

Vulnerability details

A vulnerability has been found in zhanghuanhao LibrarySystem 图书馆管理系统 up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has…

more

been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper access control (CWE-284/266) in a network-exposed Java web controller allows unauthenticated remote manipulation with no user interaction, directly matching exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-2548Shared CWE-266, CWE-284
CVE-2026-4194Shared CWE-266, CWE-284
CVE-2026-9580Shared CWE-266, CWE-284
CVE-2025-2218Shared CWE-266, CWE-284
CVE-2026-7468Shared CWE-266, CWE-284
CVE-2026-2938Shared CWE-266, CWE-284
CVE-2026-4180Shared CWE-266, CWE-284
CVE-2025-0206Shared CWE-266, CWE-284
CVE-2026-1962Shared CWE-266, CWE-284
CVE-2026-5569Shared CWE-266, CWE-284

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on functions such as those in BookController.java, blocking the unauthorized remote manipulation described in the CVE.

prevent

Requires assignment of only the minimum privileges needed, directly countering the incorrect privilege assignment (CWE-266) that enables the flaw.

AC-17 Remote Access partial match
prevent

Mandates authorization and enforcement for all remote access, mitigating the network-exploitable improper access control without authentication.

References