CVE-2026-42291

MEDIUM 6.8

SysReptor: Read-write access to personal notes by sharing-link creation with no authorization in SysReptor Professional

CVSS Score

6.8

EPSS Score

0.0%

EPSS Percentile

0th

SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim users to list and create sharing links to those users' personal notes. This gives attackers read and write access to notes of other users. This exploit works in both SysReptor Professional and Community. In Community it has, however, no impact because all users have superuser permissions and can list personal notes of other users at /admin/pentests/usernotebookpage/. This issue has been patched in version 2026.27.

CWE	CWE-639
Vendor	syslifters
Product	sysreptor
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for syslifters sysreptor

Be the first to know when new medium vulnerabilities affecting syslifters sysreptor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Syslifters / sysreptor

>= 2026.4, < 2026.27

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Syslifters/sysreptor/security/advisories/GHSA-pcpr-q2qj-3v43 github.com: https://github.com/Syslifters/sysreptor/releases/tag/2026.27