PatchSiren cyber security CVE debrief
CVE-2026-10715 Camaleon CMS CVE debrief
CVE-2026-10715 is an improper authorization vulnerability in Camaleon CMS 2.9.2. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post. The CVSS score for this vulnerability is 5.1, and the severity is rated as MEDIUM.
- Vendor
- Camaleon CMS
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Camaleon CMS 2.9.2, particularly those with low-privileged authenticated access, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in the administrator draft autosave endpoint of Camaleon CMS 2.9.2. An attacker with low-privileged authenticated access can exploit this vulnerability by sending an arbitrary post_id to the POST /admin/post_type/<POST_TYPE_ID>/drafts endpoint, allowing them to overwrite the draft associated with another user's post.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Camaleon CMS to a version that patches this vulnerability, if available.
- Restrict access to the administrator draft autosave endpoint to only authorized users.
- Monitor for suspicious activity on the /admin/post_type/<POST_TYPE_ID>/drafts endpoint.
Evidence notes
The CVE-2026-10715 vulnerability was published on 2026-06-12T19:16:25.387Z and modified on 2026-06-12T20:16:43.000Z. The vendor and product information is not yet confirmed.
Official resources
CVE-2026-10715 was published on 2026-06-12T19:16:25.387Z and modified on 2026-06-12T20:16:43.000Z.