Cyber Posture

CVE-2026-4562

High

Published: 23 March 2026

Published
23 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0010 28.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4562 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
preventrecover

Directly remediates the missing authentication flaw in the Timming API endpoint of MacCMS by identifying, prioritizing, and correcting the specific CVE vulnerability.

AC-3 Access Enforcement good match
prevent

Enforces logical access authorizations to prevent unauthorized remote manipulation of the Timming API endpoint lacking authentication checks.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits permitted actions without identification or authentication, ensuring the critical Timming API functions require proper authentication to mitigate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Missing authentication on public Timming API endpoint directly enables remote exploitation of a public-facing web application without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The exploit has…

more

been released to the public and may be used for attacks.

Deeper analysisAI

CVE-2026-4562 is a missing authentication vulnerability affecting MacCMS version 2025.1000.4052. The flaw resides in an unknown part of the file application/api/controller/Timming.php within the Timming API Endpoint component. Published on 2026-03-23, it is associated with CWEs-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), earning a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation without authentication, privileges, or user interaction, requiring only low attack complexity. Attackers can manipulate the endpoint to achieve low-level impacts on confidentiality, integrity, and availability. An exploit for this issue has been publicly released and may be used in attacks.

Advisories and further details, including potential mitigation guidance, are available in the referenced sources: https://github.com/HuajiHD/CVE/issues/9, https://vuldb.com/?ctiid.352399, https://vuldb.com/?id.352399, and https://vuldb.com/?submit.775039.

Details

CWE(s)
CWE-287CWE-306

CVEs Like This One

CVE-2025-58443Shared CWE-287, CWE-306
CVE-2026-6577Shared CWE-287, CWE-306
CVE-2026-40344Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-3053Shared CWE-287, CWE-306
CVE-2026-5000Shared CWE-287, CWE-306
CVE-2026-6129Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-7042Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306

References