← back
CVE-2026-8406

openSIS Classic 9.3 - Insecure Direct Object Reference in Sent Mail

CVSS 7.1 HIGHEPSS 0.2%CWE-639
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
11 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
OS4ED · openSIS-Classic