Skip to main content

Scoold

5 CVEs product

Monthly

CVE-2026-42176 MEDIUM PATCH This Month

Authentication bypass in Scoold prior to version 1.67.0 allows high-privileged attackers to inject arbitrary administrator email addresses via the /api/config/set/admins endpoint using a forged Bearer token, establishing persistent administrative access after application restart. The vulnerability exploits insufficient token validation in the configuration API, enabling attackers to escalate privileges reliably by injecting their own email into the admin configuration file, which is loaded on startup.

Authentication Bypass Scoold
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-39354 MEDIUM PATCH This Month

Scoold versions prior to 1.66.2 allow authenticated low-privilege users to overwrite arbitrary existing questions by submitting a POST request to /questions/ask with another user's question ID as the postId parameter. Since question IDs are publicly visible in URLs, attackers can identify target questions and replace their content with malicious text, corrupting discussion threads and destroying legitimate user-generated content. The vulnerability requires only basic user authentication and network access, making it trivially exploitable by any logged-in account.

Authentication Bypass Scoold
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-34832 MEDIUM PATCH This Month

{id}/delete endpoint. The vulnerability requires login but lacks object ownership verification, enabling lateral privilege escalation where any team member can destroy feedback created by colleagues or administrators. No public exploit code or active exploitation has been identified; the issue was discovered during code review and patched in version 1.66.1.

Authentication Bypass Scoold
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-50334 HIGH POC This Week

Scoold is a Q&A and a knowledge sharing platform for teams. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Scoold
NVD GitHub
CVSS 4.0
8.7
EPSS
1.0%
CVE-2022-1543 HIGH POC PATCH This Week

Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Buffer Overflow Scoold
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Authentication bypass in Scoold prior to version 1.67.0 allows high-privileged attackers to inject arbitrary administrator email addresses via the /api/config/set/admins endpoint using a forged Bearer token, establishing persistent administrative access after application restart. The vulnerability exploits insufficient token validation in the configuration API, enabling attackers to escalate privileges reliably by injecting their own email into the admin configuration file, which is loaded on startup.

Authentication Bypass Scoold
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Scoold versions prior to 1.66.2 allow authenticated low-privilege users to overwrite arbitrary existing questions by submitting a POST request to /questions/ask with another user's question ID as the postId parameter. Since question IDs are publicly visible in URLs, attackers can identify target questions and replace their content with malicious text, corrupting discussion threads and destroying legitimate user-generated content. The vulnerability requires only basic user authentication and network access, making it trivially exploitable by any logged-in account.

Authentication Bypass Scoold
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{id}/delete endpoint. The vulnerability requires login but lacks object ownership verification, enabling lateral privilege escalation where any team member can destroy feedback created by colleagues or administrators. No public exploit code or active exploitation has been identified; the issue was discovered during code review and patched in version 1.66.1.

Authentication Bypass Scoold
NVD GitHub
EPSS 1% CVSS 8.7
HIGH POC This Week

Scoold is a Q&A and a knowledge sharing platform for teams. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Scoold
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Buffer Overflow Scoold
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy