CVE-2026-21626
published 2026-02-06CVE-2026-21626: Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.37%
28.7th percentile
Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stackideas.com | easydiscuss_extension_for_joomla | — | — |
| stackideas | easydiscuss | 1.0.0 – 5.0.15 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ciguard: Container image runs as root (no USER directive)
ghsa·2026-05-05·CVSS 8.6
CVE-2026-44218 [HIGH] CWE-269 ciguard: Container image runs as root (no USER directive)
ciguard: Container image runs as root (no USER directive)
## Summary
The published `ghcr.io/jo-jo98/ciguard` container image inherits the default root user because the `Dockerfile` lacks a `USER` directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.
## Threat scenario
Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.
## Patch
- Dockerfile adds `RUN groupadd -r ciguard && us
GHSA
GHSA-xfjv-gcf8-3jqc: Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclo
ghsa_unreviewed·2026-02-06
CVE-2026-21626 [CRITICAL] CWE-200 GHSA-xfjv-gcf8-3jqc: Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclo
Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-06
Published