What the vulnerability does
01Description
Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70.
Explanation of Vulnerability in Simple Terms
02Summary
SP Project & Document Manager versions up to 4.70 lack proper authorization checks, allowing authenticated users to access or modify documents and projects they should not have permission to view. The vulnerability requires user interaction and affects confidentiality, integrity, and availability. Site administrators should update to a version newer than 4.70 when available.
What an attacker can do
03Attacker Capabilities
Access or modify documents and projects belonging to other users or teams without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized data access, modification, or deletion across projects; potential data breach or loss of document integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account and trick a victim into clicking a malicious link or visiting a crafted page.
Key dates
06Disclosure timeline
February 17, 2026
CVE published
April 28, 2026
Record updated