Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
AnalysisAI
Scoold versions prior to 1.66.1 allow authenticated low-privilege users to delete any other user's feedback posts via an authorization flaw in the POST /feedback/{id}/delete endpoint. The vulnerability requires login but lacks object ownership verification, enabling lateral privilege escalation where any team member can destroy feedback created by colleagues or administrators. No public exploit code or active exploitation has been identified; the issue was discovered during code review and patched in version 1.66.1.
Technical ContextAI
Scoold is a Java-based Q&A and knowledge-sharing platform built on the Erudika framework. The vulnerability exists in the feedback deletion handler, which properly enforces authentication (requiring PR:L privilege level per CVSS vector) but fails to implement authorization checks for resource ownership. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a common pattern in REST APIs where user IDs or resource IDs are trusted without validating that the requesting user owns or has permission to modify the target resource. The endpoint accepts POST requests with a feedback ID parameter and immediately processes deletion without comparing the authenticated user's identity against the feedback's creator or checking for moderator/admin status.
RemediationAI
Vendor-released patch: Upgrade Scoold to version 1.66.1 or later. The fix is available directly from the GitHub releases page (https://github.com/Erudika/scoold/releases/tag/1.66.1) and the security advisory (https://github.com/Erudika/scoold/security/advisories/GHSA-g5fv-xw88-vw44). The upstream commit 5def88c25405cc60482292bcceb45dc024e899fe implements authorization checks to verify object ownership before allowing deletion. If immediate upgrade is not feasible, restrict feedback deletion capabilities to administrators only through role-based access control settings, or temporarily disable feedback deletion for non-admin users by adjusting application permissions until patched.
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. Rated high severity (CVSS 8.8
Scoold is a Q&A and a knowledge sharing platform for teams. Rated high severity (CVSS 8.7), this vulnerability is remote
Authentication bypass in Scoold prior to version 1.67.0 allows high-privileged attackers to inject arbitrary administrat
Scoold versions prior to 1.66.2 allow authenticated low-privilege users to overwrite arbitrary existing questions by sub
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18529