CVE-2026-42291 - Vulnerability Details

Description

SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim users to list and create sharing links to those users' personal notes. This gives attackers read and write access to notes of other users. This exploit works in both SysReptor Professional and Community. In Community it has, however, no impact because all users have superuser permissions and can list personal notes of other users at /admin/pentests/usernotebookpage/. This issue has been patched in version 2026.27.

Published: 2026-05-08

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated user to create or list sharing links for another user's personal notes without any authorization. This provides the attacker with both read and write capabilities on those notes, effectively enabling unauthorized data manipulation. The flaw aligns with CWE‑639, reflecting a lack of proper access control checks.

Affected Systems

Syslifters’ SysReptor platform is affected, specifically versions from 2026.4 through 2026.26. Both the Professional and Community editions are vulnerable; however, in Community the same permissions already grant all users superuser access to personal notes, so the impact is limited there. The issue is patched in release 2026.27.

Risk and Exploitability

The CVSS score is 6.8, indicating a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and have knowledge of the victim's note ID to exploit the flaw. Once accessed, they can read and modify notes, compromising confidentiality and integrity of user data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Syslifters

sysreptor

affected

Version	Status	Constraints
`>= 2026.4, < 2026.27`	affected	—

No data.

Vendor Product Confidence Versions

Syslifters

Sysreptor

100%

Version	Status	Scheme	Platform
`[2026.4,2026.27)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SysReptor to version 2026.27 or later, which includes the missing authorization check.
Restrict access to the personal note sharing endpoints for all users except administrators until the patch is implemented.
Communicate the change to all users and instruct them to report any unexpected note‑sharing link activity.

Generated by OpenCVE AI on May 8, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Syslifters/sysreptor/releases/tag/2026.27
https://github.com/Syslifters/sysreptor/security/advisories/GHSA-pcpr-q2qj-3v43

History

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Syslifters Syslifters sysreptor
Vendors & Products		Syslifters Syslifters sysreptor

Fri, 08 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim users to list and create sharing links to those users' personal notes. This gives attackers read and write access to notes of other users. This exploit works in both SysReptor Professional and Community. In Community it has, however, no impact because all users have superuser permissions and can list personal notes of other users at /admin/pentests/usernotebookpage/. This issue has been patched in version 2026.27.
Title		SysReptor: Read-write access to personal notes by sharing-link creation with no authorization in SysReptor Professional
Weaknesses		CWE-639
References		https://github.com/Syslifters/sysreptor/releases/tag/2026.27 https://github.com/Syslifters/sysreptor/security/advisories/GHSA-pcpr-q2qj-3v43
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Syslifters Sysreptor

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T21:57:51.099Z

Updated: 2026-05-08T21:57:51.099Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42291

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T23:16:36.360

Modified: 2026-05-08T23:16:36.360

Link: CVE-2026-42291

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-09T00:00:23Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object