CVE-2026-39354 Erudika — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	6.5 (MEDIUM)
Affected Versions	before 1.66.2
Fixed In	1.66.2
Type	CWE-639 (Authorization Bypass)
Vendor	Erudika
Public PoC	No

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread.

This vulnerability is fixed in 1.66.2.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

High

Complete data modification

Availability

None

No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-639 Authorization Bypass

Vulnerable Products 1

Configuration	From (including)	Up to (excluding)
Erudika Scoold cpe:2.3:a:erudika:scoold::::::::	—	`1.66.2`

References 1

https://github.com/Erudika/scoold/security/advisories/GHSA-768r-cv9p-wrcm

security-advisories@github.com

Menu

CVE-2026-39354

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 1

References 1

CVE Details

Editor's Choice

Menu

CVE-2026-39354

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 1

References 1

CVE Details

Editor's Choice

Stay informed on cybersecurity