GHSA-9pm8-vwc5-w2hm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9pm8-vwc5-w2hm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9pm8-vwc5-w2hm/GHSA-9pm8-vwc5-w2hm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9pm8-vwc5-w2hm
- Published
- 2026-04-14T01:07:01Z
- Modified
- 2026-04-14T01:25:46.759995Z
- Severity
-
- 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID
- Details
-
Impact
Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use.
Patches
Fixed in v0.26.0
Workarounds
Disable use of email dropbox.
- Database specific
{ "nvd_published_at": null, "severity": "LOW", "github_reviewed_at": "2026-04-14T01:07:01Z", "cwe_ids": [ "CWE-639" ], "github_reviewed": true }- References
Affected packages
RubyGems / fat_free_crm
Package
- Name
- fat_free_crm
- Purl
- pkg:gem/fat_free_crm
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.26.0
Affected versions
0.*
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.12.0
0.12.1
0.12.2
0.12.3
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.14.0
0.14.1
0.14.2
0.15.0.beta
0.15.0.beta.2
0.15.0
0.15.1
0.15.2
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.17.1
0.17.2
0.17.3
0.18.0
0.18.1
0.18.2
0.19.0
0.19.2
0.20.0
0.20.1
0.21.0
0.22.0
0.22.1
0.23.0
0.24.0
0.24.1
0.24.2
0.24.3
0.25.0