This vulnerability (CVE-2026-54837) affects Intranet & Private Site – All-In-One Intranet plugin versions up to 1.8.1. It is classified as CWE-862 (Missing Authorization), meaning the software fails to properly restrict access to certain functionality or data. The flaw allows unauthenticated attackers to bypass access controls and gain unauthorized read access to sensitive information. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and high confidentiality impact with no integrity or availability impact. No patch or official fix has been published yet, and the vendor has not provided remediation details. The product is not a cloud service, so remediation depends on vendor updates or user-applied fixes.

An unauthenticated attacker can bypass access controls to access sensitive information within the affected plugin, leading to a high confidentiality impact. There is no impact on integrity or availability. This could expose private intranet data to unauthorized parties.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently available, users should monitor vendor communications for updates. Restricting access to the plugin or disabling it until a fix is released may reduce risk.