Date: 
2026-June-24
Vulnerability: 
Access bypass / Insecure Direct Object Reference (IDOR)
Affected versions: 
<2.8.0
CVE IDs: 
CVE-2026-13232
Description: 

This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote.

The module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "give feedback". Note: "give feedback" is granted to anonymous and authenticated by default on install.

Solution: 

Install the latest release:

The comment endpoint now requires an HMAC-signed token bound to the specific feedback row (issued only to the visitor who cast that vote), and a comment may be written only once, preventing both forgery of arbitrary ids and replay.

Reported By: 
Coordinated By: