216.73.217.126

CVE-2026-3321

· Published 30/03/2026 14:16 · Modified 30/03/2026 14:16

Labels: CVE-2026-3321 2026-03-30CVE-2026-3321CWE-639[email protected]

Essential information

Published
30/03/2026 14:16
Modified
30/03/2026 14:16
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
console-survey / api cpe:2.3:a:console-survey:api:*:*:*:*:*:*:*:*

References