CVE-2026-42291

Name of the Vulnerable Software and Affected Versions SysReptor versions 2026.4 through 2026.26

Description Improper authorization in endpoints used for reading and creating sharing links for personal notes allows authenticated attackers with a victim's note ID to list and create sharing links to those notes. This results in unauthorized read and write access to other users' personal notes. This issue affects both Professional and Community editions, although it has no practical impact on the Community edition since all users possess superuser permissions and can already list personal notes via the '/admin/pentests/usernotebookpage/' endpoint.

Recommendations Update to version 2026.27.