PatchSiren

avo-hq CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL avo-hq CVE published 2026-07-17

CVE-2026-55518

CVE-2026-55518 is a critical vulnerability in the Avo framework for Ruby on Rails apps. An authenticated low-privileged Avo user can bypass hidden or disabled attach controls and directly attach related records to a parent record by sending a crafted POST request. This can lead to privilege escalation and cross-tenant data exposure where associations represent authorization-bearing relationships. The vuln [truncated]