Authorization Flaw in SysReptor Pentest Reporting Platform
CVE-2026-42291

6.8MEDIUM

Key Information:

Vendor: Syslifters
Status: Sysreptor
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42291?

A security flaw in SysReptor allows authenticated attackers to exploit improperly authorized endpoints, enabling them to access and manipulate personal notes of users by leveraging note IDs. In the Professional edition, this presents a significant risk, as attackers can create and share unauthorized links to sensitive notes. Although Community users have superuser permissions, rendering this flaw less impactful, it's essential for all users to update to version 2026.27 to mitigate potential risks. Full details of the issue and its resolution can be found in the advisory.

Affected Version(s)

sysreptor >= 2026.4, < 2026.27

References

https://github.com/Syslifters/sysreptor/security/advisori...

x_refsource_CONFIRM

https://github.com/Syslifters/sysreptor/releases/tag/2026.27

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42291 Data

JSON