CVE-2026-42176

Name of the Vulnerable Software and Affected Versions Scoold versions prior to 1.67.0

Description Scoold allows the modification of the admins configuration value via the "/api/config/set/admins" endpoint using a forged Bearer token that is accepted as an admin API token. This action writes a target email address to the application configuration file. While the change is not immediate because the ADMINS set is loaded at startup, a restart of the application results in the selected user being recognized as an administrator with access to the admin panel, providing a reliable persistence path.

Recommendations Update to version 1.67.0.