CVE-2026-8406

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 11, 2026

Vendor unknown

Description

openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.

References

https://fluidattacks.com/es/advisories/melanie
https://github.com/OS4ED/openSIS-Classic
https://github.com/OS4ED/openSIS-Classic/commit/c45d43146167324bae06bdf09de3e4bd2e5e478f
https://fluidattacks.com/es/advisories/melanie