CRITICALCVE-2026-29204Published Modified CNA hackerone
CVE-2026-29204: Insufficient ownership check in `clientarea
Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 9.0.4
- Affected Products
- 1
Fix available
9.0.418.13.3
Affected packages
- WebPros / WHMCS≤ 18.12.2 · < 18.13.3 (from 18.13.0) · < 9.0.4 (from 9.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences