Home

Description

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-12 | Updated 2026-06-12 | Assigner Fluid Attacks




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

2.9.2
affected

Credits

Fluid Attacks' AI SAST Scanner finder

Oscar Naveda finder

References

fluidattacks.com/es/advisories/billie exploit

fluidattacks.com/es/advisories/billie third-party-advisory

github.com/owen2345/camaleon-cms

cve.org (CVE-2026-10715)

nvd.nist.gov (CVE-2026-10715)

Download JSON