Product
An authorization bypass vulnerability, CVE-2026-39903, exists in Simple Machines Forum versions 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5, allowing a low-privileged, authenticated user to exploit a single-character operator error in 'Sources/Actions/AttachmentApprove.php' to bypass permission checks, enabling them to approve, reject, or delete any pending attachments across boards, circumvent moderation queues for their own uploads, and enumerate or delete other users' pending attachments without the required 'approve_posts' permission.