CVE-2026-39354 | THREATINT

Description

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-07 | Updated 2026-04-09 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 1.66.2

affected

References

github.com/...scoold/security/advisories/GHSA-768r-cv9p-wrcm exploit

github.com/...scoold/security/advisories/GHSA-768r-cv9p-wrcm

cve.org (CVE-2026-39354)

nvd.nist.gov (CVE-2026-39354)

Download JSON