Description
Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure
Published: 2026-02-06
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Access control settings for forum post custom fields are not enforced when the EasyDiscuss extension outputs data as JSON. This omission allows an attacker to retrieve sensitive custom field information that should be restricted, resulting in unauthorized exposure of potentially private or confidential data.

Affected Systems

The vulnerability affects the Stackideas EasyDiscuss extension for Joomla, specifically versions 1.0.0 through 5.0.15. Any Joomla site that has this extension installed and exposes the JSON output for post custom fields is susceptible.

Risk and Exploitability

The CVSS score of 9.2 indicates a severe impact, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit it by sending unauthenticated HTTP requests to the JSON endpoint, bypassing ACL checks and obtaining the data. The high severity combined with the low current exploitation likelihood still presents a high risk if the vulnerable version remains in use.

Generated by OpenCVE AI on April 18, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EasyDiscuss extension to a version newer than 5.0.15 to correct the ACL enforcement flaw.
  • If an immediate upgrade is not possible, block or protect the JSON endpoint for post custom fields by configuring Joomla’s .htaccess rules to require authentication or by using the extension’s settings to disable JSON output for sensitive custom fields.
  • Review and restrict access permissions in Joomla’s ACL for forum content and custom field data, ensuring only authorized user groups can view those fields.

Generated by OpenCVE AI on April 18, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://stackideas.com/easydiscuss cve-icon cve-icon
History

Wed, 18 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:stackideas:easydiscuss:*:*:*:*:*:joomla\!:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla
Joomla joomla!
Stackideas
Stackideas easydiscuss
Vendors & Products Joomla
Joomla joomla
Joomla joomla!
Stackideas
Stackideas easydiscuss

Fri, 06 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure
Title Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Joomla Joomla Joomla!
Stackideas Easydiscuss
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-02-20T14:23:01.677Z

Reserved: 2026-01-01T04:42:27.960Z

Link: CVE-2026-21626

cve-icon Vulnrichment

Updated: 2026-02-06T14:46:38.168Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T08:15:53.697

Modified: 2026-02-18T17:26:54.950

Link: CVE-2026-21626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses