CVE-2026-7510 — A vulnerability was determined in OWAP DefectDojo up to
CVE-2026-7510 — A vulnerability was determined in OWAP DefectDojo up to 2.55.4. Affected by this vulnerability is an unknown functionality of the component Benchmark/Engagement/Product/Survey. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit
What This Means For You
- If your environment is affected by CWE-285, CWE-639, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-7510 updates and patches.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Potential Authorization Bypass via OWAP DefectDojo Benchmark/Engagement/Product/Survey Manipulation - CVE-2026-7510
title: Potential Authorization Bypass via OWAP DefectDojo Benchmark/Engagement/Product/Survey Manipulation - CVE-2026-7510
id: scw-2026-04-30-ai-1
status: experimental
level: high
description: |
This rule detects potential exploitation of CVE-2026-7510 in OWAP DefectDojo versions prior to 2.56.0. The vulnerability allows for authorization bypass by manipulating specific components (Benchmark, Engagement, Product, Survey). This detection looks for requests to these specific paths, potentially with an ID parameter, that result in a successful (200) status code, indicating a possible bypass.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7510/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/benchmark/'
- '/engagement/'
- '/product/'
- '/survey/'
cs-method|exact: 'GET'
cs-uri-query|contains:
- 'id=' # Assuming ID manipulation is part of the exploit
sc-status|exact: '200' # Successful response after bypass
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7510 | vulnerability | CVE-2026-7510 |
| CWE-285 | weakness | CWE-285 |
| CWE-639 | weakness | CWE-639 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 02:16 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7508 — Bootstrap CMS 0.9.0-Alpha Vulnerability
CVE-2026-7508 — A vulnerability was found in Bootstrap CMS 0.9.0-alpha. Affected is an unknown function of the file resources/views/pages/show.blade.php of the component Page Creation Handler....
SourceCodester Hotel Management System SQLi (CVE-2026-7506) Publicly Disclosed
CVE-2026-7506 — A vulnerability has been found in SourceCodester Hotel Management System 1.0. This impacts an unknown function of the file /index.php/reservation/check. Such manipulation of...
nextlevelbuilder GoClaw RPC Handler Flaw Allows Remote Improper Authorization
CVE-2026-7505 — A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC...