CVE Catalog
CVE-2026-54826
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk0.29%
21th percentile — higher than 21% of all known CVEs
Summary
The SupportCandy plugin version 3.4.6 and earlier contains an Insecure Direct Object References (IDOR) vulnerability for subscribers. This allows unauthorized access to other users' data.
Risk Assessment
The organization is at risk of leaking sensitive support ticket data, potentially violating customer privacy and compliance requirements.
Recommendation
Immediately update the SupportCandy plugin to the latest available version that fixes this vulnerability.
Original NVD description (English source)
Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions.

