rubysec · jasnow · Jun 29, 2026 · simi · Jun 29, 2026
diff --git a/gems/camaleon_cms/CVE-2026-10715.yml b/gems/camaleon_cms/CVE-2026-10715.yml
@@ -0,0 +1,25 @@
+---
+gem: camaleon_cms
+cve: 2026-10715
+ghsa: vg43-9r8m-q2cc
+url: https://nvd.nist.gov/vuln/detail/CVE-2026-10715
+title: Camaleon CMS 2.9.2 contains an improper authorization
+date: 2026-06-12
+description: |
+  Camaleon CMS 2.9.2 contains an improper authorization vulnerability
+  in the administrator draft autosave endpoint. A low-privileged
+  authenticated user can send an arbitrary post_id to
+  POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite
+  the draft associated with another user's post.
+cvss_v4: 5.1
+patched_versions:
+  - ">= 2.9.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-10715
+    - https://rubygems.org/gems/camaleon_cms/versions/2.9.2
+    - https://github.com/owen2345/camaleon-cms/releases/tag/2.9.2
+    - https://fluidattacks.com/es/advisories/billie
+    - https://github.com/advisories/GHSA-vg43-9r8m-q2cc
+notes: |
+  - GHSA is unreviewed.