CVE-2026-15373
MEDIUM Exploitation: PoC
6.3
CVSS 3.1
Description
A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of the argument role results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Metadata
Severity & Metrics
6.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Eleveo | Call Recording Software | — | 9.7.0 |
Weakness (CWE)
CVSS scores (4)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.5 | N/D | 2.0 | cna | AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR |
| 6.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
| 6.3 | MEDIUM | 3.0 | cna | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
| 5.3 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
References (5)
- VDB-377440 | Eleveo Call Recording Software userAddAction.do improper authorization https://vuldb.com/vuln/377440
- VDB-377440 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/377440/cti
- CVE-2026-15373 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-15373
- Submit #797457 | Eleveo Call Recording 9.7.0 Broken Access Control https://vuldb.com/submit/797457
- https://drive.google.com/file/d/1QqpeH0qWsSnSiMvPeRJvRSylwLGK3hsN/view?usp=sharing