关键信息总结 CVE ID: CVE-2026-26973 CVSS v3 Base Metrics - Severity: Moderate (4.3/10) - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Confidentiality: None - Integrity: Low - Availability: None Affected Versions - >= 0 - >= 2026.1.0-latest - >= 2026.2.0-latest Patched Versions - 2025.12.2 - 2026.1.1 - 2026.2.0 Impact - IDOR vulnerability in ReviewableNotesController when is enabled. - Users in category moderation groups can create/delete notes on any reviewable, including those outside their moderation scope, impacting integrity. Mitigation - Patched by adjusting the reviewable lookup to check user access appropriately. - Workaround: Disable the setting to restrict access to staff-only. CVE-2026-26973 indicates: - Moderate Risk: The vulnerability can be exploited through network access, with minimal complexity and limited privileges. - Mitigation: Patch released in specified versions addresses the flaw.