Description

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2.

INFO

Published Date :

2026-04-07T18:54:36.133Z

Last Modified :

2026-04-09T16:17:51.713Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39354 vulnerability.

Vendors Products
Erudika
  • Scoold
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39354.

URL Resource
https://github.com/Erudika/scoold/security/advisories/GHSA-768r-cv9p-wrcm cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact