From 9f6c2943dc9739e6949e03e65b035e8e03ad4b7a Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Tue, 14 Apr 2026 09:20:19 -0400
Subject: [PATCH] GHSA/SYNC: 1 brand new advisory - 4/14/26

---
 gems/fat_free_crm/GHSA-9pm8-vwc5-w2hm.yml | 32 +++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 gems/fat_free_crm/GHSA-9pm8-vwc5-w2hm.yml

diff --git a/gems/fat_free_crm/GHSA-9pm8-vwc5-w2hm.yml b/gems/fat_free_crm/GHSA-9pm8-vwc5-w2hm.yml
new file mode 100644
index 0000000000..d454dcb868
--- /dev/null
+++ b/gems/fat_free_crm/GHSA-9pm8-vwc5-w2hm.yml
@@ -0,0 +1,32 @@
+---
+gem: fat_free_crm
+ghsa: 9pm8-vwc5-w2hm
+url: https://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-9pm8-vwc5-w2hm
+title:
+  Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated
+  user can hit this endpoint and delete emails by ID
+date: 2026-04-14
+description: |
+  Fat Free CRM has BOLA (Broken Object Level Authorization) in
+  DELETE /emails/:id - Any authenticated user can hit this
+  endpoint and delete emails by ID
+
+  ### Impact
+
+  Authenticated users can delete emails imported into the system
+  assigned to another user; where the
+  [Email Dropbox](https://github.com/fatfreecrm/fat_free_crm/wiki/Email-Dropbox)
+  is in use.
+
+  ### Workarounds
+
+  Disable use of email dropbox.
+cvss_v3: 2.1
+patched_versions:
+  - ">= 0.26.0"
+related:
+  url:
+    - https://rubygems.org/gems/fat_free_crm/versions/0.26.0
+    - https://github.com/fatfreecrm/fat_free_crm/releases/tag/v0.26.0
+    - https://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-9pm8-vwc5-w2hm
+    - https://github.com/advisories/GHSA-9pm8-vwc5-w2hm