https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-09T18:30:27.005805+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/19dcf2a7-ef0d-45ca-97c0-bb23731e1305/export19dcf2a7-ef0d-45ca-97c0-bb23731e13052026-06-09T18:30:27.474658+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "19dcf2a7-ef0d-45ca-97c0-bb23731e1305", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42562", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mlh5dtx2v42n", "content": "\ud83d\udfe0 CVE-2026-42562 - High (8.3)\n\nPlainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privileg...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42562/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-09T21:02:10.182417Z"}2026-05-09T21:02:10.182417+00:00https://vulnerability.circl.lu/sighting/10e2a796-1609-4eb1-bcf7-36b78226d799/export10e2a796-1609-4eb1-bcf7-36b78226d7992026-06-09T18:30:27.474500+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "10e2a796-1609-4eb1-bcf7-36b78226d799", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42562", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlh6fd7nxr2k", "content": "CVE-2026-42562 - Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)\nCVE ID : CVE-2026-42562\n \n Published : May 9, 2026, 8:16 p.m. | 33\u00a0minutes ago\n \n Description : Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainp...", "creation_timestamp": "2026-05-09T21:20:52.965637Z"}2026-05-09T21:20:52.965637+00:00https://vulnerability.circl.lu/sighting/eacaa05a-9346-4a05-a951-47f8ff4c426b/exporteacaa05a-9346-4a05-a951-47f8ff4c426b2026-06-09T18:30:27.472083+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "eacaa05a-9346-4a05-a951-47f8ff4c426b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42562", "type": "seen", "source": "https://gist.github.com/ImTopz/33a987bda3c2850a7e9f373a49b245a7", "content": "# Defensive Analysis: CVE-2026-42562 in Plainpad\n\n## Summary\n\nCVE-2026-42562 is a privilege-management issue in Plainpad, a self-hosted PHP note-taking application. The affected versions are Plainpad releases before 1.1.1.\n\nThe issue is a good example of a common web application mistake: a profile update endpoint accepted a privileged account field from user-controlled input. A low-privilege authenticated user could change role state that should only be controlled by an administrator.\n\nThis is a defensive review note. It does not include exploitation instructions. The goal is to document the affected versions, the authorization boundary, the upstream fix, and practical checks for developers and operators.\n\n## Affected Versions\n\n- Affected: Plainpad versions before 1.1.1\n- Fixed: Plainpad 1.1.1 and later\n\n## Public References\n\n- CVE AWG: https://cveawg.mitre.org/api/cve/CVE-2026-42562\n- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42562\n- GitHub Security Advisory: https://github.com/alextselegidis/plainpad/security/advisories/GHSA-pvfv-wvpm-q6f6\n- GitHub issue: https://github.com/alextselegidis/plainpad/issues/138\n- Patch commit: https://github.com/alextselegidis/plainpad/commit/9216a876d27b22c3d9259551636d803f7cb075fc\n- Plainpad 1.1.1 release: https://github.com/alextselegidis/plainpad/releases/tag/1.1.1\n\n## Root Cause Boundary\n\nThe vulnerable boundary was field-level authorization during user profile updates.\n\nIn a web application, it is not enough to check that a user is authenticated before accepting a profile update. The server also has to decide which fields that user is allowed to change. Normal profile fields and privileged role fields should not be treated the same way.\n\nFrom a defensive perspective, the relevant rules are:\n\n- A regular user may update their own profile data.\n- Only an administrator should be able to change administrative role state.\n- Privileged fields should be ignored, rejected, or handled through a separate admin-only path.\n- Server-side authorization must be based on the authenticated actor, not on values supplied by the request body.\n\n## Patch Review\n\nThe upstream patch changes the update path so that the authenticated actor is checked explicitly. It also gates the admin-role assignment behind an administrator check, instead of persisting that field directly from the request.\n\nThe release notes for 1.1.1 call out this fix as a privilege-escalation vulnerability where any authenticated user could grant themselves admin. The same release also includes other hardening work around account recovery and list sorting.\n\nAt a high level, the fix moves Plainpad from:\n\n- user update input can directly affect privileged role state\n\nto:\n\n- only an authenticated administrator can change that privileged field\n\nThat is the right remediation shape. The important fix is not just input validation; it is authorization at the field level.\n\n## Defensive Validation Plan\n\nFor a system you own or are authorized to review:\n\n1. Identify the deployed Plainpad version.\n2. Check whether it is older than 1.1.1.\n3. Review the user update controller for privileged fields accepted from user input.\n4. Upgrade to Plainpad 1.1.1 or later.\n5. Confirm that normal users can still update normal profile fields.\n6. Confirm that normal users cannot change administrative role state.\n7. Review account and audit logs for unexpected role changes.\n\n## Operator Remediation\n\n- Upgrade to Plainpad 1.1.1 or later.\n- Review user accounts for unexpected administrator privileges.\n- Rotate credentials for accounts that had unexpected role changes.\n- Restrict access to the application while updating if compromise is suspected.\n- Add regression tests around field-level authorization for user update endpoints.\n\n## Why This Case Is Useful\n\nThis vulnerability is small enough to reason about clearly, but it represents a real class of web application bug. Many applications protect routes but forget that individual fields inside an allowed request may need separate authorization.\n\nCVE-2026-42562 is a useful reminder that profile update endpoints deserve careful review. The route can be legitimate, the user can be logged in, and the request can still contain fields that the actor should never be allowed to control.\n\n## Attribution\n\nOriginal reporter credit in the GitHub advisory belongs to `QiaoNPC`. This note is an independent defensive analysis and patch-validation summary based on public sources.\n\n## Status\n\nPublished by `ImTopz` for defensive review and CVP verification context.\n", "creation_timestamp": "2026-06-05T14:49:28.000000Z"}2026-06-05T14:49:28+00:00