CVE-2026-39903
Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
10/07/2026
Última modificación:
10/07/2026
Descripción
*** Pendiente de traducción *** Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated low-privileged user can approve, reject, or delete any pending attachments on any board without holding the required approve_posts permission, bypass moderation queues for their own uploads, and enumerate and delete other users' pending attachments.
Impacto
Puntuación base 4.0
7.10
Gravedad 4.0
ALTA
Puntuación base 3.x
7.10
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://github.com/SimpleMachines/SMF/commit/7d048f8d66aab9af51cd6ee110fbad103cf673e8
- https://github.com/SimpleMachines/SMF/commit/a7875e876a647572dd4c45da881b875092caac3d
- https://github.com/SimpleMachines/SMF/pull/9181
- https://github.com/SimpleMachines/SMF/pull/9182
- https://www.vulncheck.com/advisories/simple-machines-forum-authorization-bypass-via-attachmentapprove-php



