{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-53901/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-11T14:03:02.026Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-53901","@id":"https://www.cve.org/CVERecord?id=CVE-2026-53901","description":"Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled.\n\n\nSuccessful exploitation could allow creation of objects with attacker-chosen identifiers"},"products":[{"@id":"cpe:2.3:a:cerebrate:cerebrate:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:cerebrate:cerebrate:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 1.37.","timestamp":"2026-06-11T14:03:02.026Z"}]}