CVE-2026-34832 in scooldinformation

Résumé (Anglaise)

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Responsable

GitHub_M

Réserver

30/03/2026

Divulgation

02/04/2026

Statut

Confirmé

Entrées

VulDB provides additional information and datapoints for this CVE:

IDVulnérabilitéCWEExpConCVE
355006Erudika scoold delete élévation de privilèges639Non définiCorrectif officielCVE-2026-34832

Description

CPE

CWE

CVSS

Exploits

Histoire

Diff

Relier

Renseignements sur les menaces

API JSON

API XML

API CSV

Sources

PrécédentAperçuSuivant

Do you need the next level of professionalism?

Upgrade your account now!