CVE-2026-32097HIGH 8.8EPSS p20.3%

CVE-2026-32097CVE-2026-32097

Description

PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.29% probability of exploitation · percentile 20.3% · 2026-06-19T12:03:05Z
Published2026-03-11
Last modified2026-03-16

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/comppolicylab/pingpong/security/advisories/GHSA-4wwr-5wq7-mgm4

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-22137
CVE
CVE-2026-21445
CVE
CVE-2025-45150
CVE
CVE-2026-0558
CVE
CVE-2026-29070
CVE
CVE-2026-44196
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.