{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21626", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "state": "PUBLISHED", "assignerShortName": "Joomla", "dateReserved": "2026-01-01T04:42:27.960Z", "datePublished": "2026-02-06T07:49:42.606Z", "dateUpdated": "2026-02-20T14:23:01.677Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EasyDiscuss extension for Joomla", "vendor": "Stackideas.com", "versions": [{"status": "affected", "version": "1.0.0-5.0.15"}]}], "credits": [{"lang": "en", "type": "finder", "value": "creative-graphics.ch"}, {"lang": "en", "type": "finder", "value": "djumla.de"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure"}], "value": "Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "references": [{"tags": ["product"], "url": "https://stackideas.com/easydiscuss"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "CRITICAL", "baseScore": 9.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-02-20T14:23:01.677Z"}, "source": {"discovery": "UNKNOWN"}, "title": "Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T14:46:20.272238Z", "id": "CVE-2026-21626", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T14:46:46.904Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21626", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T14:46:20.272238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T14:46:38.168Z"}}], "cna": {"title": "Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "creative-graphics.ch"}, {"lang": "en", "type": "finder", "value": "djumla.de"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Stackideas.com", "product": "EasyDiscuss extension for Joomla", "versions": [{"status": "affected", "version": "1.0.0-5.0.15"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://stackideas.com/easydiscuss", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure", "supportingMedia": [{"type": "text/html", "value": "Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-02-20T14:23:01.677Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21626", "state": "PUBLISHED", "dateUpdated": "2026-02-20T14:23:01.677Z", "dateReserved": "2026-01-01T04:42:27.960Z", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "datePublished": "2026-02-06T07:49:42.606Z", "assignerShortName": "Joomla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stackideas:easydiscuss:*:*:*:*:*:joomla\\!:*:*", "matchCriteriaId": "1F4EB9D6-4491-4616-8485-B1FDFF3B88E7", "versionEndIncluding": "5.0.15", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure"}, {"lang": "es", "value": "La configuraci\u00f3n de control de acceso para los campos personalizados de publicaciones del foro no se aplican al tipo de salida JSON, lo que lleva a un vector de violaci\u00f3n de ACL y una revelaci\u00f3n de informaci\u00f3n."}], "id": "CVE-2026-21626", "lastModified": "2026-02-18T17:26:54.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@joomla.org", "type": "Secondary"}]}, "published": "2026-02-06T08:15:53.697", "references": [{"source": "security@joomla.org", "tags": ["Product"], "url": "https://stackideas.com/easydiscuss"}], "sourceIdentifier": "security@joomla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@joomla.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:24:51.011059+00:00", "value": {"mitigation_remediation": ["Upgrade the EasyDiscuss extension to a version newer than 5.0.15 to correct the ACL enforcement flaw.", "If an immediate upgrade is not possible, block or protect the JSON endpoint for post custom fields by configuring Joomla\u2019s .htaccess rules to require authentication or by using the extension\u2019s settings to disable JSON output for sensitive custom fields.", "Review and restrict access permissions in Joomla\u2019s ACL for forum content and custom field data, ensuring only authorized user groups can view those fields."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Stackideas EasyDiscuss extension for Joomla, specifically versions 1.0.0 through 5.0.15. Any Joomla site that has this extension installed and exposes the JSON output for post custom fields is susceptible.", "description_and_impact": "Access control settings for forum post custom fields are not enforced when the EasyDiscuss extension outputs data as JSON. This omission allows an attacker to retrieve sensitive custom field information that should be restricted, resulting in unauthorized exposure of potentially private or confidential data.", "risk_and_exploitability": "The CVSS score of 9.2 indicates a severe impact, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit it by sending unauthenticated HTTP requests to the JSON endpoint, bypassing ACL checks and obtaining the data. The high severity combined with the low current exploitation likelihood still presents a high risk if the vulnerable version remains in use."}}}}, "created": "2026-02-09T10:52:40.156271+00:00", "updated": "2026-04-18T18:30:07.287229+00:00", "vendors": ["joomla", "joomla$PRODUCT$joomla", "joomla$PRODUCT$joomla!", "stackideas", "stackideas$PRODUCT$easydiscuss"]}