PT-2026-26171

Summary The delete, activate, and deactivate modes in modules/groups-roles/groups roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement, which includes it in the POST body, but the...