What is CVE-2026-3977?

CVE-2026-3977 is a medium-severity vulnerability in Projectsend, classified under Missing Authorization. CVSS score: 6.3/10. Published 2026-03-12.

How severe is CVE-2026-3977?

Medium severity. CVSS v3 base score is 6.3 out of 10.

Auth bypass in Projectsend

CVE-2026-3977

A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The…

Vulnerability class: Broken Access Control

EPSS: 0.001 (20.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C.

Affected products

N/a Projectsend — versions r1945

Weakness classification (CWE)

References

VDB-350412 | projectsend AJAX Endpoints authorization (vdb-entry)
VDB-350412 | CTI Indicators (IOB, IOC) (signature, permissions-required)
github.com/projectsend/projectsend/issues/1525 (issue-tracking)
github.com/projectsend/projectsend/issues/1525 (issue-tracking)
github.com/projectsend/projectsend/commit/35dfd6f08f7d517709c77ee73e57367141107… (patch)
github.com/projectsend/projectsend/ (product)

Frequently asked questions

What is CVE-2026-3977?: CVE-2026-3977 is a medium-severity vulnerability in Projectsend, classified under Missing Authorization. CVSS score: 6.3/10. Published 2026-03-12.
How severe is CVE-2026-3977?: Medium severity. CVSS v3 base score is 6.3 out of 10.