What the vulnerability does
01Description
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fiorello: from n/a through <= 1.0.
Explanation of Vulnerability in Simple Terms
02Summary
Fiorello versions 1.0 and earlier contain an authorization flaw that allows authenticated users to modify or disable site functionality. An attacker with low-level account access can alter data or disrupt service availability without higher privileges. The vulnerability requires valid login credentials but no additional user interaction.
What an attacker can do
03Attacker Capabilities
Modify site data or disrupt availability after logging in with a low-privilege account.
Potential impact on your site
04Site Impact
Authenticated users can alter content or cause service disruption beyond their intended permissions.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the site.
Key dates
06Disclosure timeline
January 22, 2026
CVE published
April 28, 2026
Record updated