CWE-266— Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.— MITRE CWE catalog
988 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-266page 16 of 20
- CVE-2026-14693MEDIUMCVSS 5.4EG 5.42026-07-05
A flaw has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. Affected by this vulnerability is the function cancel_order of the file classes/Master.php. Executing a manipulation can lead to improper authorizat…
- CVE-2026-14719HIGHCVSS 7.3EG 7.32026-07-05
A flaw has been found in SourceCodester Onlne Examination & Learning Management System 1.0. The impacted element is an unknown function of the file register.php of the component Registration Endpoint. Executing a manipulation of the argume…
- CVE-2026-14778HIGHCVSS 7.3EG 7.32026-07-05
A security vulnerability has been detected in SourceCodester Onlne Examination & Learning Management System 1.0. This affects an unknown part of the file /ajax_enroll.php of the component Enrollment Management. The manipulation of the argu…
- CVE-2026-14792MEDIUMCVSS 6.5EG 6.52026-07-06
A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remot…
- CVE-2026-14794MEDIUMCVSS 4.3EG 4.32026-07-06
A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument us…
- CVE-2026-15188MEDIUMCVSS 6.3EG 6.32026-07-09
A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file accounts/api/views.py of the component …
- CVE-2026-15270HIGHCVSS 7.5EG 7.52026-07-09
A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privil…
- CVE-2026-15271HIGHCVSS 7.5EG 7.52026-07-09
A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web …
- CVE-2026-15319HIGHCVSS 7.3EG 7.32026-07-10
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access con…
- CVE-2026-15373MEDIUMCVSS 6.3EG 6.32026-07-10
A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of the argument role results in improper authorization. It i…
- CVE-2026-15374MEDIUMCVSS 6.3EG 6.32026-07-10
A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. Executing a manipulation can lead to improper authorization. It is poss…
- CVE-2026-15375MEDIUMCVSS 4.3EG 4.32026-07-10
A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/users_ldap.jsp of the component LDAP User Interface. The manipulation leads to improper authorization. The attack…
- CVE-2026-15376MEDIUMCVSS 6.3EG 6.32026-07-10
A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The …
- CVE-2026-15377MEDIUMCVSS 4.3EG 4.32026-07-10
A vulnerability was determined in Eleveo Call Recording Software 9.7.0. Affected by this vulnerability is an unknown functionality of the file /callrec/sendlogfile. This manipulation causes improper authorization. The attack may be initiat…
- CVE-2026-15470MEDIUMCVSS 4.3EG 4.32026-07-11
A vulnerability has been found in Eleveo Call Recording Software 9.7.0. Affected by this issue is some unknown functionality of the file /callrec/group.jsp. Such manipulation leads to improper authorization. The attack may be launched remo…
- CVE-2026-15471MEDIUMCVSS 4.3EG 4.32026-07-12
A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown part of the file /callrec/pci_dss_status.jsp. Performing a manipulation results in improper authorization. Remote exploitation of the attack is poss…
- CVE-2026-15472MEDIUMCVSS 4.3EG 4.32026-07-12
A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability affects unknown code of the file /callrec/composeEmailAction.do. Executing a manipulation can lead to improper authorization. The attack can be exec…
- CVE-2026-15473MEDIUMCVSS 6.3EG 6.32026-07-12
A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects some unknown processing of the file /callrec/restoreCallAction.do of the component Recorded Calls Page. The manipulation leads to improper authoriza…
- CVE-2026-15474MEDIUMCVSS 4.3EG 4.32026-07-12
A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an unknown function of the file /callrec/audio.jsp of the component Call Recording Handler. The manipulation of the argument callId results in imprope…
- CVE-2026-15475MEDIUMCVSS 5.3EG 5.32026-07-12
A weakness has been identified in MiniTool Partition Wizard up to 13.6. The affected element is an unknown function in the library pwdrvio.sys of the component Signed Kernel Driver. This manipulation causes improper access controls. The at…
- CVE-2026-15476MEDIUMCVSS 5.3EG 5.32026-07-12
A security vulnerability has been detected in QILING Disk Master 6.0.0.0. The impacted element is an unknown function in the library diskbckp.sys of the component Kernel Driver. Such manipulation leads to improper access controls. The atta…
- CVE-2026-15499MEDIUMCVSS 6.3EG 6.32026-07-12
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the ar…
- CVE-2026-1550MEDIUMCVSS 6.3EG 6.32026-01-28
A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a…
- CVE-2026-1597MEDIUMCVSS 6.3EG 6.32026-01-29
A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument ci_session leads to improper authorization. The attack…
- CVE-2026-1702MEDIUMCVSS 6.3EG 6.32026-01-30
A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/operation/user.php of the component User Management. Performing a manipulation of the argument group_id…
- CVE-2026-1733MEDIUMCVSS 4.3EG 4.32026-02-01
A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The at…
- CVE-2026-1892MEDIUMCVSS 5.0EG 5.02026-02-04
A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId lead…
- CVE-2026-1894MEDIUMCVSS 6.3EG 6.32026-02-04
A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results …
- CVE-2026-1895MEDIUMCVSS 6.3EG 6.32026-02-04
A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be exe…
- CVE-2026-1896MEDIUMCVSS 6.3EG 6.32026-02-05
A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The m…
- CVE-2026-1898MEDIUMCVSS 6.3EG 6.32026-02-05
A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initi…
- CVE-2026-1962MEDIUMCVSS 6.3EG 6.32026-02-05
A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack…
- CVE-2026-1963MEDIUMCVSS 6.3EG 6.32026-02-05
A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotel…
- CVE-2026-1964MEDIUMCVSS 4.3EG 4.32026-02-05
A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possi…
- CVE-2026-2009MEDIUMCVSS 6.3EG 6.32026-02-06
A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possi…
- CVE-2026-2010MEDIUMCVSS 4.2EG 4.22026-02-06
A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.ja…
- CVE-2026-2015MEDIUMCVSS 6.3EG 6.32026-02-06
A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file FinalStatusImportService.php of the component Final Status Import. Executing a manipulation of the argument school_id can lead to…
- CVE-2026-2075MEDIUMCVSS 6.3EG 6.32026-02-07
A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.…
- CVE-2026-2076MEDIUMCVSS 6.3EG 6.32026-02-07
A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sy…
- CVE-2026-2077MEDIUMCVSS 6.3EG 6.32026-02-07
A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqif…
- CVE-2026-2078MEDIUMCVSS 6.3EG 6.32026-02-07
A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\con…
- CVE-2026-2079MEDIUMCVSS 6.3EG 6.32026-02-07
A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\Men…
- CVE-2026-20804HIGHCVSS 7.7EG 7.72026-01-13
Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally.
- CVE-2026-20852HIGHCVSS 7.7EG 7.72026-01-13
Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally.
- CVE-2026-2105MEDIUMCVSS 6.3EG 6.32026-02-07
A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptCo…
- CVE-2026-2106MEDIUMCVSS 6.3EG 6.32026-02-07
A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java…
- CVE-2026-2107MEDIUMCVSS 6.3EG 6.32026-02-07
A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\contro…
- CVE-2026-2109MEDIUMCVSS 5.4EG 5.42026-02-07
A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. T…
- CVE-2026-2141MEDIUMCVSS 6.3EG 6.32026-02-08
A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Perfo…
- CVE-2026-2206MEDIUMCVSS 6.3EG 6.32026-02-08
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper …
Map vulnerabilities like CWE-266 to your infrastructure
EchelonGraph correlates every CVE — across CWE-266 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →