CVE Catalog

CVE-2026-54826

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

The SupportCandy plugin version 3.4.6 and earlier contains an Insecure Direct Object References (IDOR) vulnerability for subscribers. This allows unauthorized access to other users' data.

Risk Assessment

The organization is at risk of leaking sensitive support ticket data, potentially violating customer privacy and compliance requirements.

Recommendation

Immediately update the SupportCandy plugin to the latest available version that fixes this vulnerability.

Original NVD description (English source)

Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS