PosCube QR Menu: Authorization Bypass via User-Controlled Key (CVE-2025-13479)

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
PosCube QR Menu: Authorization Bypass via User-Controlled Key (CVE-2025-13479)

The National Vulnerability Database (NVD) has disclosed CVE-2025-13479, a high-severity authorization bypass vulnerability in PosCube Hardware Software and Consulting Ltd.’s QR Menu. This flaw, rated with a CVSS score of 7.5, allows for the exploitation of trusted identifiers through a user-controlled key, enabling attackers to bypass authentication mechanisms without requiring any privileges or user interaction.

This critical vulnerability affects QR Menu versions up to and including 21052026. The NVD noted that the vendor, PosCube, was contacted regarding this disclosure but did not provide any response. The lack of vendor engagement is concerning, leaving affected organizations in a precarious position without official guidance or patches.

Attackers can leverage this authorization bypass to gain unauthorized access, potentially compromising sensitive data or manipulating system functions. Given the widespread use of QR-based menu systems in various establishments, the potential impact is significant for any organization utilizing PosCube’s QR Menu solution.

What This Means For You

  • If your organization uses PosCube Hardware Software and Consulting Ltd.'s QR Menu, you are directly exposed to CVE-2025-13479. This is an authorization bypass that requires no authentication, meaning an attacker can just walk in. Immediately identify if you are running QR Menu versions up to 21052026. Given the vendor's non-response, assume no patch is forthcoming. Your only viable options are to completely disable the affected QR Menu service or implement a robust compensating control, such as an application-layer firewall, to block any access to the vulnerable endpoint.

Indicators of Compromise

IDTypeIndicator
CVE-2025-13479 Auth Bypass PosCube Hardware Software and Consulting Ltd. QR Menu
CVE-2025-13479 Auth Bypass QR Menu through version 21052026
CVE-2025-13479 Auth Bypass User-Controlled key vulnerability
CVE-2025-13479 Auth Bypass Exploitation of Trusted Identifiers

Written by SCW Vulnerability Desk

🔎
Check QR Menu Vulnerability Use /brief to get an analyst-ready weekly threat summary that includes high-severity vulnerabilities like this.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 21, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45208: Apex One/SEP Agent Vulnerability Allows Local Privilege Escalation

CVE-2026-45208 — A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an...

vulnerabilityCVEhigh-severitycwe-367
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs

CVE-2026-45207: Apex One/SEP Agent Privilege Escalation

CVE-2026-45207 — An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar...

vulnerabilityCVEhigh-severitycwe-346
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs

CVE-2026-45206: Privilege Escalation in Apex One/SEP Agent

CVE-2026-45206 — An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar...

vulnerabilityCVEhigh-severitycwe-346
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 4 IOCs