Cyber Resilience

CVE-2026-3794

MediumPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3794 is a medium-severity Improper Authentication (CWE-287) vulnerability in Html-Js Doracms. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-3794 is an improper authentication vulnerability (CWE-287) affecting doramart DoraCMS version 3.0.x. The issue resides in the unknown processing logic of the /api/v1/mail/send endpoint within the Email API component, allowing manipulation that bypasses authentication controls. This flaw carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

The vulnerability enables remote attackers with no required privileges or user interaction to exploit the Email API endpoint. Successful exploitation grants limited access, resulting in low-level impacts on confidentiality, integrity, and availability, such as unauthorized email sending or related API actions.

VulDB advisories, referenced at https://vuldb.com/?ctiid.349761, https://vuldb.com/?id.349761, and https://vuldb.com/?submit.768239, document the issue but note no vendor response despite early disclosure notification. No patches or official mitigations are available, and a public exploit exists that may be actively used.

Security teams should isolate or disable the affected Email API endpoint on DoraCMS 3.0.x instances, monitor for anomalous /api/v1/mail/send traffic, and consider upgrading if a future patch emerges, given the public exploit availability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in doramart DoraCMS 3.0.x. This issue affects some unknown processing of the file /api/v1/mail/send of the component Email API. Such manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit is…

more

publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an improper authentication bypass in a public-facing web application's Email API endpoint (/api/v1/mail/send), enabling remote unauthenticated exploitation, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3795Same product: Html-Js Doracms
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287

Affected Assets

html-js
doracms
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication of non-organizational users or processes, directly preventing remote unauthorized access to the vulnerable /api/v1/mail/send Email API endpoint.

prevent

Enforces approved access authorizations, mitigating the improper authentication bypass in the Email API processing logic.

prevent

Mandates timely remediation of the identified improper authentication flaw in DoraCMS 3.0.x, including patching or workarounds given the public exploit.

References