CVE-2026-21626

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://stackideas.com/easydiscuss	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:stackideas:easydiscuss:*:*:*:*:*:joomla\!:*:*

History

18 Feb 2026, 17:26

Type	Values Removed	Values Added
References	~~() https://stackideas.com/easydiscuss -~~	() https://stackideas.com/easydiscuss - Product
Summary		(es) La configuración de control de acceso para los campos personalizados de publicaciones del foro no se aplican al tipo de salida JSON, lo que lleva a un vector de violación de ACL y una revelación de información.
CPE		cpe:2.3:a:stackideas:easydiscuss::::::joomla\!::*
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Stackideas easydiscuss Stackideas

06 Feb 2026, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-06 08:15

Updated : 2026-02-18 17:26

NVD link : CVE-2026-21626

Mitre link : CVE-2026-21626

CVE.ORG link : CVE-2026-21626

JSON object : View

Products Affected

stackideas

easydiscuss

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2026-21626", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@joomla.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-06T08:15:53.697", "references": [{"url": "https://stackideas.com/easydiscuss", "tags": ["Product"], "source": "security@joomla.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@joomla.org", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure"}, {"lang": "es", "value": "La configuraci\u00f3n de control de acceso para los campos personalizados de publicaciones del foro no se aplican al tipo de salida JSON, lo que lleva a un vector de violaci\u00f3n de ACL y una revelaci\u00f3n de informaci\u00f3n."}], "lastModified": "2026-02-18T17:26:54.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:stackideas:easydiscuss:*:*:*:*:*:joomla\\!:*:*", "vulnerable": true, "matchCriteriaId": "1F4EB9D6-4491-4616-8485-B1FDFF3B88E7", "versionEndIncluding": "5.0.15", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@joomla.org"}