CVE-2026-4982

Name: CVE-2026-4982
Creator: NVD / NIST
Published: 2026-03-27T13:16:25.297+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.3/10EPSS 0.25%

Last modified Jun 17, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature. The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages.

Metrics

CVSS 4.0

7.3/10

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.25%

15.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-20

References

https://github.com/venueless/venueless/security/advisories/GHSA-6fq7-pgj3-6cfp

Timeline

Published: Mar 27, 2026
Last Modified: Jun 17, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-4982?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST