CVE-2026-5251 | z-9527 admin 1.0/2.0 User Update Endpoint /server/routes/user.js isAdmin dynamically-determined object attributes

A vulnerability, which was classified as critical, was found in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes.

This vulnerability is referenced as CVE-2026-5251. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More