CVE-2026-34832

MEDIUM 6.5

Scoold: Cross-Account Feedback Deletion (IDOR)

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

14th

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.

CWE	CWE-639
Vendor	erudika
Product	scoold
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for erudika scoold

Be the first to know when new medium vulnerabilities affecting erudika scoold are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

Erudika / scoold

< 1.66.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Erudika/scoold/security/advisories/GHSA-g5fv-xw88-vw44 github.com: https://github.com/Erudika/scoold/commit/5def88c25405cc60482292bcceb45dc024e899fe github.com: https://github.com/Erudika/scoold/releases/tag/1.66.1