What is the CVSS score of CVE-2026-42562?

CVE-2026-42562 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Plainpad are affected by CVE-2026-42562?

Plainpad versions before 1.1.1 contain a critical privilege escalation vulnerability allowing any authenticated user to elevate themselves to administrator status through a simple API request,…. A patch is available.

Plainpad CVE-2026-42562

EUVD-2026-28929 HIGH

Improper Privilege Management (CWE-269)

2026-05-09 GitHub_M

PHP Privilege Escalation

8.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Patch available

May 09, 2026 - 21:02 EUVD

Source Code Evidence Fetched

May 09, 2026 - 20:00 vuln.today

Analysis Generated

May 09, 2026 - 20:00 vuln.today

CVE Published

May 09, 2026 - 19:09 nvd

HIGH 8.3

DescriptionNVD

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.

AnalysisAI

Privilege escalation in Plainpad versions prior to 1.1.1 allows any authenticated user to immediately grant themselves administrator privileges via a single HTTP PUT request to the user update endpoint. The vulnerability stems from the API directly accepting the admin parameter from user input without verifying the requesting user's existing privilege level. …

RemediationAI

Within 24 hours: Identify all Plainpad deployments and document current version numbers; restrict API access to the user update endpoint via network controls or WAF rules if possible. Within 7 days: Contact Plainpad vendor for patch availability timeline and interim guidance; implement compensating controls such as disabling self-service password/profile updates if business operations permit. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42562 vulnerability details – vuln.today

Back