Description
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
Published: 2026-04-02
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of User Feedback
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an IDOR that allows a logged‑in, low‑privilege user to delete any other user’s feedback post by specifying its identifier in a POST request to /feedback/{id}/delete. Because authentication is enforced but ownership checks are missing, the attacker can remove content and potentially disrupt knowledge sharing within the platform, undermining the integrity and availability of user contributions.

Affected Systems

Erudika’s Scoold platform, versions prior to 1.66.1, is affected. The issue was fixed in release 1.66.1.

Risk and Exploitability

With a CVSS score of 6.5, the flaw is classified as Medium severity. Exploitation requires authenticated access; any standard user can delete content when they know the feedback ID. EPSS score is unavailable and KEV catalog shows no listing. The attack vector is inferred to be an internal authenticated POST request where the attacker supplies the target’s feedback identifier.

Generated by OpenCVE AI on April 2, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Scoold to version 1.66.1 or newer
  • Restrict delete functionality so that only the owner or an administrator can delete feedback items

Generated by OpenCVE AI on April 2, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:erudika:scoold:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Erudika
Erudika scoold
Vendors & Products Erudika
Erudika scoold

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
Title Scoold: Cross-Account Feedback Deletion (IDOR)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Erudika Scoold
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T14:43:14.459Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34832

cve-icon Vulnrichment

Updated: 2026-04-03T14:43:10.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T20:16:27.040

Modified: 2026-04-15T17:29:54.877

Link: CVE-2026-34832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:25Z

Weaknesses