Another bug I found in ProfileGrid was disclosed this week. Broken access control!
cryptocat.me/blog/researc...
cryptocat.me
Root cause analysis of CVE-2026-4609 in ProfileGrid, where a nonce-only AJAX invite flow lets Subscriber-level users add themselves or other registered users to closed and paid groups.
