CVE-2026-57321
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
The H5P plugin version 1.17.7 and earlier contains a vulnerability allowing a contributor to delete arbitrary files on the server. The flaw is due to insufficient permission validation during file deletion operations.
Risk Assessment
An attacker with contributor role can delete critical system files or data, leading to service disruption, data loss, or full server compromise.
Recommendation
Immediately update the H5P plugin to the latest available version that fixes this vulnerability. If an update is not possible, restrict contributor permissions to the minimum or temporarily disable the file deletion functionality.
Original NVD description (English source)
Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions.

