Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2.
AnalysisAI
Scoold versions prior to 1.66.2 allow authenticated low-privilege users to overwrite arbitrary existing questions by submitting a POST request to /questions/ask with another user's question ID as the postId parameter. Since question IDs are publicly visible in URLs, attackers can identify target questions and replace their content with malicious text, corrupting discussion threads and destroying legitimate user-generated content. The vulnerability requires only basic user authentication and network access, making it trivially exploitable by any logged-in account.
Technical ContextAI
Scoold is a Node.js-based Q&A and knowledge-sharing platform built on Erudika. The vulnerability stems from insufficient authorization checks in the question creation endpoint (POST /questions/ask), which fails to validate whether the authenticated user owns or has permission to modify the question object being targeted. The flaw leverages CWE-639 (Authorization Bypass Through User-Controlled Key), where the application trusts user-supplied postId parameters without verifying ownership. Question IDs are embedded in publicly accessible URLs (e.g., /question/{postId}), allowing reconnaissance of targets. The authorization framework does not cross-reference the authenticated user's identity against question ownership metadata before allowing write operations.
RemediationAI
Upgrade Scoold to version 1.66.2 or later, which implements proper ownership validation in the POST /questions/ask endpoint. The patched version verifies that the authenticated user either owns the question or holds sufficient administrative privileges before allowing updates via the postId parameter. No workarounds are available for versions prior to 1.66.2; patching is the only mitigation. Administrators should prioritize this upgrade and audit question modification logs to detect potential unauthorized overwrites prior to the patch date.
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. Rated high severity (CVSS 8.8
Scoold is a Q&A and a knowledge sharing platform for teams. Rated high severity (CVSS 8.7), this vulnerability is remote
Authentication bypass in Scoold prior to version 1.67.0 allows high-privileged attackers to inject arbitrary administrat
Scoold versions prior to 1.66.1 allow authenticated low-privilege users to delete any other user's feedback posts via an
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19863