CVE-2026-39354

Name of the Vulnerable Software and Affected Versions Scoold versions prior to 1.66.2

Description A flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question. This is achieved by supplying the question's public ID as the postId parameter to the POST request at the ''/questions/ask'' API endpoint. Question IDs are exposed in normal question URLs, enabling an attacker to take a victim question ID from a public page and replace the existing content with attacker-controlled content. This results in a loss of integrity of user-generated content and corrupts the discussion thread.

Recommendations Update to version 1.66.2 or later.