Camaleon CMS 2.9.2 - Improper authorization in draft autosave endpoint
CVE-2026-10715

5.1MEDIUM

Key Information:

Vendor: Camaleon Cms
Status: Camaleon Cms
Vendor: CVE Published:; 12 June 2026

🔔 Create Camaleon Cms Vulnerability Alert

What is CVE-2026-10715?

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.

Affected Version(s)

Camaleon CMS Windows 2.9.2

References

https://fluidattacks.com/es/advisories/billie

third-party-advisory

https://github.com/owen2345/camaleon-cms

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 2, 2026

Credit

Fluid Attacks' AI SAST Scanner

Oscar Naveda

CVE-2026-10715 Data

JSON