VDB

CVE-2026-10708

CVE-2026-10708 PUBLISHED CVSS 7.5 HIGH

Reported by certcc · Published July 8, 2026

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersions
Adalo No-Code App BuilderApp Builder1
Adalo No-Code App BuilderApp Builder1, 1

Timeline

  • Jul 8, 2026 CVE Published
  • Jul 9, 2026 EPSS Score
  • Jul 9, 2026 Coalition ESS Score
  • Jul 9, 2026 Security Advisory
  • Jul 9, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›