CVE-2026-59237
Roskus Prospero Flow CRM prior to 5.5.3 is affected by an IDOR (CWE-639) vulnerability in the Order and OrderItem REST API controllers. The issue arises because Order::find($id) / Item::find($id) are not scoped to the authenticated user’s company, enabling a remote, authenticated user to read, mo...