VDB
CVE-2026-10708
CVE-2026-10708
PUBLISHED
CVSS 7.5 HIGH
Reported by certcc · Published July 8, 2026
This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Adalo No-Code App Builder | App Builder | 1 |
| Adalo No-Code App Builder | App Builder | 1, 1 |
Timeline
- Jul 8, 2026 CVE Published
- Jul 9, 2026 EPSS Score
- Jul 9, 2026 Coalition ESS Score
- Jul 9, 2026 Security Advisory
- Jul 9, 2026 CVE Updated