CVE-2026-5251

Name of the Vulnerable Software and Affected Versions z-9527 admin versions 1.0 through 2.0

Description A flaw exists in z-9527 admin versions 1.0 through 2.0 within the User Update Endpoint component, specifically affecting an unknown function in the /server/routes/user.js file. Manipulation of the isAdmin argument with the input 1 results in dynamically-determined object attributes. This issue is remotely exploitable, and an exploit is publicly available. The vendor was contacted but did not respond.

Recommendations Versions prior to 2.0 should be updated. As a temporary workaround, consider restricting access to the /server/routes/user.js file or disabling the affected function until a patch is available.