CWE-266— Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.— MITRE CWE catalog
987 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-266page 15 of 20
- CVE-2026-1106MEDIUMCVSS 5.4EG 5.42026-01-18
A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation…
- CVE-2026-1112MEDIUMCVSS 5.4EG 5.42026-01-18
A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deleti…
- CVE-2026-11336MEDIUMCVSS 6.3EG 6.32026-06-05
A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the com…
- CVE-2026-1141MEDIUMCVSS 6.3EG 6.32026-01-19
A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The atta…
- CVE-2026-11438MEDIUMCVSS 6.3EG 6.32026-06-06
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The a…
- CVE-2026-11439MEDIUMCVSS 6.3EG 6.32026-06-06
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in i…
- CVE-2026-11440MEDIUMCVSS 6.3EG 6.32026-06-06
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes im…
- CVE-2026-11441MEDIUMCVSS 6.3EG 6.32026-06-06
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper a…
- CVE-2026-11462HIGHCVSS 7.3EG 7.32026-06-07
A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipul…
- CVE-2026-11466MEDIUMCVSS 5.4EG 5.42026-06-07
A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access …
- CVE-2026-11476MEDIUMCVSS 6.3EG 6.32026-06-08
A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component…
- CVE-2026-11492HIGHCVSS 8.8EG 4.32026-06-08
A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack c…
- CVE-2026-11494MEDIUMCVSS 4.3EG 4.32026-06-08
A security vulnerability has been detected in TOTOLINK AC1200 T8 4.1.5cu.8611. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation leads to least privilege violation. The attack may be in…
- CVE-2026-11497HIGHCVSS 8.8EG 5.32026-06-08
A vulnerability has been found in D-Link DCS-5615 1.01.00. Affected by this vulnerability is an unknown functionality of the file /etc/conf.d/boa/boa.conf of the component Boa Webserver. Such manipulation leads to least privilege violation…
- CVE-2026-11519MEDIUMCVSS 6.3EG 6.32026-06-08
A security flaw has been discovered in SourceCodester Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /Product_Inventory/api/users_handler.php of the component Account Creation Handler. The mani…
- CVE-2026-11521MEDIUMCVSS 6.3EG 6.32026-06-08
A security vulnerability has been detected in Mohammed-eid35 bank-management-system-springboot up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. This affects an unknown part of the file src/main/java/com/alien/bank/management/system/controll…
- CVE-2026-11532MEDIUMCVSS 6.3EG 6.32026-06-08
A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can…
- CVE-2026-11533MEDIUMCVSS 5.4EG 5.42026-06-08
A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Delet…
- CVE-2026-11554MEDIUMCVSS 4.3EG 4.32026-06-08
A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated rem…
- CVE-2026-11555HIGHCVSS 7.5EG 3.72026-06-08
A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006. This issue affects some unknown processing of the file /etc/boa.conf of the component Web Interface. Such manipulation leads to least privilege violation. The attack may be l…
- CVE-2026-11619MEDIUMCVSS 6.3EG 6.32026-06-09
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads t…
- CVE-2026-11620MEDIUMCVSS 5.3EG 5.32026-06-09
A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the a…
- CVE-2026-1193MEDIUMCVSS 6.3EG 6.32026-01-19
A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be…
- CVE-2026-12164MEDIUMCVSS 4.4EG 4.42026-06-23
Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when th…
- CVE-2026-12201MEDIUMCVSS 5.3EG 5.32026-06-15
A flaw has been found in IObit Malware Fighter up to 13.2.0. Affected by this vulnerability is an unknown functionality of the component DLL Handler. This manipulation causes permission issues. The attack requires local access. The exploit…
- CVE-2026-12212MEDIUMCVSS 4.3EG 4.32026-06-15
A vulnerability has been found in hcengineering Huly Platform up to 0.7.0. Affected is the function getMailboxSecret of the file server/account/src/operations.ts of the component RPC Interface. The manipulation leads to improper access con…
- CVE-2026-12213MEDIUMCVSS 4.3EG 4.32026-06-15
A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation re…
- CVE-2026-12217HIGHCVSS 7.8EG 7.82026-06-15
A security vulnerability has been detected in DVDFab Virtual Drive 2.0.0.5. Impacted is an unknown function in the library dvdfabio.sys of the component Signed Kernel Driver. The manipulation leads to improper privilege management. An atta…
- CVE-2026-12289HIGHCVSS 8.8EG 8.82026-06-16
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
- CVE-2026-12294CRITICALCVSS 9.6EG 9.62026-06-16
Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
- CVE-2026-12388MEDIUMCVSS 6.5EG 6.52026-06-30
A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity pro…
- CVE-2026-12529HIGHCVSS 7.3EG 7.32026-06-17
A security vulnerability has been detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. Affected is an unknown function of the file /index.php of the component Student Self-Registration Endpoint. The man…
- CVE-2026-12770HIGHCVSS 8.8EG 5.42026-06-21
A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation ca…
- CVE-2026-12771HIGHCVSS 7.5EG 5.02026-06-21
A vulnerability was identified in BerriAI litellm up to 1.82.2. This affects an unknown function of the file litellm/proxy/auth/user_api_key_auth.py of the component M2M JWT Handler. Such manipulation leads to improper authorization. The a…
- CVE-2026-12778HIGHCVSS 7.8EG 7.82026-06-21
A vulnerability has been found in AOMEI Partition Assistant up to 10.10.1. This vulnerability affects unknown code in the library ampa10.sys of the component Kernel Driver. Such manipulation leads to improper access controls. The attack mu…
- CVE-2026-12779HIGHCVSS 7.8EG 7.82026-06-21
A vulnerability was found in AOMEI Dynamic Disk Manager up to 10.10.1. This issue affects some unknown processing in the library ddmdrv.sys of the component Kernel Driver. Performing a manipulation results in improper access controls. The …
- CVE-2026-12780HIGHCVSS 7.8EG 7.82026-06-21
A vulnerability was determined in AOMEI Backupper up to 8.3.0. Impacted is an unknown function in the library amwrtdrv.sys of the component Kernel Driver. Executing a manipulation can lead to improper access controls. The attack needs to b…
- CVE-2026-12781HIGHCVSS 7.8EG 7.82026-06-21
A vulnerability was identified in EaseUS Partition Master up to 14.5. The affected element is an unknown function in the library epmntdrv.sys of the component Kernel Driver. The manipulation leads to improper access controls. The attack ne…
- CVE-2026-12782HIGHCVSS 7.8EG 7.82026-06-21
A security flaw has been discovered in EaseUS Partition Master up to 14.5. The impacted element is an unknown function in the library EUEDKEPM.sys of the component Kernel Driver. The manipulation results in improper access controls. The at…
- CVE-2026-12784HIGHCVSS 7.8EG 7.82026-06-21
A weakness has been identified in IM-Magic Partition Resizer up to 7.9.0. This affects an unknown function in the library MDA_NTDRV.sys of the component Kernel Driver. This manipulation causes improper access controls. The attack requires …
- CVE-2026-12786HIGHCVSS 7.8EG 7.82026-06-21
A vulnerability has been found in Ezbsystems UltraISO Premium Edition up to 9.76. Affected by this issue is some unknown functionality in the library bootpt64.sys of the component Kernel Driver. The manipulation leads to improper access co…
- CVE-2026-12799MEDIUMCVSS 4.3EG 4.32026-06-21
A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function ui_view_users of the file litellm/proxy/management_endpoints/internal_user_endpoints.py of the component Incomplete Fix CVE-…
- CVE-2026-12823LOWCVSS 3.3EG 3.32026-06-22
A security flaw has been discovered in Browserbase Skills up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a…
- CVE-2026-13511LOWCVSS 3.1EG 3.12026-06-28
A vulnerability was determined in VoltAgent up to 2.1.17. Affected by this issue is the function handleGetMemoryConversation of the file packages/server-core/src/handlers/memory.handlers.ts of the component Memory REST API. Executing a man…
- CVE-2026-13524MEDIUMCVSS 5.6EG 5.62026-06-29
A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulatio…
- CVE-2026-13544MEDIUMCVSS 6.3EG 6.32026-06-29
A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The …
- CVE-2026-13568HIGHCVSS 7.3EG 7.32026-06-29
A weakness has been identified in SourceCodester Inventory Management System 1.0. This vulnerability affects unknown code of the file /api/users_handler.php of the component User Registration Endpoint. This manipulation of the argument rol…
- CVE-2026-13591MEDIUMCVSS 5.0EG 5.02026-06-29
A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes impr…
- CVE-2026-1411MEDIUMCVSS 6.1EG 6.12026-01-26
A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the …
- CVE-2026-14690HIGHCVSS 7.3EG 7.32026-07-05
A weakness has been identified in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function save_users of the file classes/Users.php. This manipulation causes improper authorization. Remote exploitation of…
Map vulnerabilities like CWE-266 to your infrastructure
EchelonGraph correlates every CVE — across CWE-266 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →