Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary postid to POST /admin/posttype/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.
{
"cwe_ids": [
"CWE-862"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10715.json",
"cna_assigner": "Fluid Attacks"
}