Skip to main content

Js Help Desk EUVDEUVD-2026-15909

| CVE-2026-32535 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-25 Patchstack GHSA-r3wv-xr72-34x9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15909
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
MEDIUM 6.5

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through <= 3.0.3.

AnalysisAI

JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct object references (IDOR) and incorrectly configured access control security levels. An attacker with minimal or no privileges can exploit user-controlled keys in API requests or direct object references to access, modify, or view unauthorized help desk tickets, user data, and support resources. While no CVSS score is currently assigned and KEV/EPSS data are unavailable, the vulnerability has been publicly reported by Patchstack with reference documentation available.

Technical ContextAI

The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a class of flaw where an application uses user-supplied input to directly reference resources without proper authorization verification. In JS Help Desk (cpE: cpe:2.3:a:joomsky:js_help_desk:*:*:*:*:*:*:*:*), the affected component likely exposes object identifiers (ticket IDs, user IDs, or support queue references) as parameters that are not properly validated against the requesting user's access control list. This is compounded by incorrectly configured access control security levels that fail to enforce role-based or permission-based restrictions on resource access. The vulnerability affects the core authorization layer of the help desk application rather than a specific third-party library.

RemediationAI

Upgrade JS Help Desk to a version greater than 3.0.3 where the authorization bypass has been remediated; consult the vendor security advisory and release notes at https://patchstack.com/database/Wordpress/Plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-0-3-insecure-direct-object-references-idor-vulnerability for specific patched versions. As an interim measure, enforce strict role-based access control (RBAC) policies by auditing and tightening security levels within the application's access control configuration, restricting API endpoints to authenticated users only, and implementing rate limiting and request validation on ticket and resource access endpoints. Monitor help desk activity logs for suspicious patterns of unauthorized resource access or enumeration attempts.

CVE-2023-50839 CRITICAL POC
9.3 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He

CVE-2024-43274 CRITICAL
9.8 Nov 01

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Accessing Func

CVE-2024-31273 CRITICAL
9.8 Jun 09

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.3. Rated critical s

CVE-2026-48886 CRITICAL
9.3 Jun 15

SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to

CVE-2022-47151 HIGH
8.6 Apr 17

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He

CVE-2026-32534 HIGH
8.5 Mar 25

JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to exe

CVE-2026-56054 HIGH
7.7 Jun 25

Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-p

CVE-2024-13606 HIGH
7.5 Feb 13

The JS Help Desk - The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information E

CVE-2026-48887 MEDIUM
6.5 Jun 15

Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote atta

CVE-2022-46842 MEDIUM
5.4 Feb 02

Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions. Rated medium severity (CVSS 5.

Share

EUVD-2026-15909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy