CVE-2026-39354 Scoold has an Authenticated Arbitrary Question Overwrite via Client-Controlled postId in POST /questions/ask

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask...

CVE-2026-39354

CVE-2026-39354 affects Scoold prior to version 1.66.2, where an authenticated low-privilege user can overwrite another user’s question by supplying the victim question’s public ID as postId to POST /questions/ask. This enables direct integrity loss in an existing discussion thread. Root cause is ...

CVE-2026-39354 Scoold has an Authenticated Arbitrary Question Overwrite via Client-Controlled postId in POST /questions/ask

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask...

EUVD-2026-6100

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 and Mattermost Plugin Zoom versions =1.11.0 fail to validate user identity and post ownership in the /api/v1/askPMI endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via...