PatchSiren

Roskus CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Roskus CVE published 2026-07-16

CVE-2026-59237

CVE-2026-59237 is an authorization bypass vulnerability in Roskus Prospero Flow CRM before 5.5.3. A remote, authenticated user can read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}. The vulnerability exi [truncated]