CVE-2026-4171 | CodeGenieApp serverless-express up to 4.17.1 API Endpoint TodoList.ts userId authorization

A vulnerability classified as critical has been found in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass.

This vulnerability is uniquely identified as CVE-2026-4171. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-4171 | CodeGenieApp serverless-express up to 4.17.1 API Endpoint TodoList.ts userId authorization

Post correlati

CVE-2022-42539 | Google Android information disclosure

CVE-2023-37898 | laurent22 joplin up to 2.12.8 MarkupToHtml.ts child_process cross site scripting (GHSA-hjmq-3qh4-g2r8)

CVE-2022-49850 | Linux Kernel up to 6.0.8 nilfs_count_free_blocks deadlock

CVE-2025-14616 | Recooty Plugin up to 1.0.6 on WordPress recooty_save_maybe cross-site request forgery