VYPR
Medium severity6.5NVD Advisory· Published Apr 2, 2026· Updated Apr 15, 2026

CVE-2026-34832

CVE-2026-34832

Description

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Erudika/Scoold2 versions
    cpe:2.3:a:erudika:scoold:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:erudika:scoold:*:*:*:*:*:*:*:*range: <1.66.1
    • (no CPE)range: <1.66.1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.