CWE-266— Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.— MITRE CWE catalog
988 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-266page 20 of 20
- CVE-2026-6634MEDIUMCVSS 6.3EG 6.32026-04-20
A weakness has been identified in usememos memos up to 0.22.1. This affects the function memos_access_token of the file src/App.tsx of the component UpdateInstanceSetting. This manipulation of the argument additionalStyle/additionalScript …
- CVE-2026-6750HIGHCVSS 8.8EG 5.32026-04-21
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CVE-2026-6977HIGHCVSS 7.3EG 7.32026-04-25
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attac…
- CVE-2026-7091MEDIUMCVSS 6.3EG 6.32026-04-27
A flaw has been found in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. Remote exploitation of the …
- CVE-2026-7092MEDIUMCVSS 6.3EG 6.32026-04-27
A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. Th…
- CVE-2026-7093MEDIUMCVSS 6.3EG 6.32026-04-27
A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID resu…
- CVE-2026-7109MEDIUMCVSS 5.3EG 5.32026-04-27
A vulnerability was detected in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /item of the component API Endpoint. Performing a manipulation results in improper authorization. It is possible to i…
- CVE-2026-7142MEDIUMCVSS 6.3EG 6.32026-04-27
A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It…
- CVE-2026-7292MEDIUMCVSS 5.6EG 5.62026-04-28
A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely…
- CVE-2026-7468HIGHCVSS 7.3EG 7.32026-04-30
A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls.…
- CVE-2026-7505HIGHCVSS 7.3EG 7.32026-04-30
A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit…
- CVE-2026-7602MEDIUMCVSS 6.3EG 6.32026-05-02
A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in im…
- CVE-2026-7631MEDIUMCVSS 5.4EG 5.42026-05-02
A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument Username results in improper authorizatio…
- CVE-2026-7644HIGHCVSS 7.3EG 7.32026-05-02
A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. …
- CVE-2026-7686MEDIUMCVSS 5.3EG 5.32026-05-03
A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results …
- CVE-2026-7709MEDIUMCVSS 6.3EG 6.32026-05-03
A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improp…
- CVE-2026-7713MEDIUMCVSS 6.3EG 6.32026-05-04
A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation resu…
- CVE-2026-8127MEDIUMCVSS 6.3EG 6.32026-05-08
A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be exec…
- CVE-2026-8148HIGHCVSS 7.8EG 7.82026-05-08
NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks.
- CVE-2026-8233MEDIUMCVSS 4.6EG 4.62026-05-10
A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The ex…
- CVE-2026-8241MEDIUMCVSS 5.3EG 5.32026-05-10
A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack…
- CVE-2026-8743MEDIUMCVSS 6.3EG 6.32026-05-17
A vulnerability was found in Open5GS up to 2.7.6. This impacts the function ran_ue_find_by_amf_ue_ngap_id of the file src/amf/context.c of the component AMF/MME. Performing a manipulation results in improper authorization. It is possible t…
- CVE-2026-8747MEDIUMCVSS 6.3EG 6.32026-05-17
A weakness has been identified in Z-BlogPHP 1.7.4.3430. This affects the function CheckComment of the file zb_system/function/c_system_event.php of the component Commend Approval Handler. This manipulation causes improper authorization. Th…
- CVE-2026-8752MEDIUMCVSS 5.3EG 5.32026-05-17
A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler…
- CVE-2026-9376MEDIUMCVSS 6.3EG 6.32026-05-24
A vulnerability was determined in JPress up to 1.0.3. The affected element is an unknown function of the file /ucenter/article/doWriteSave of the component UCenter Article Submission Endpoint. Executing a manipulation of the argument id/us…
- CVE-2026-9397HIGHCVSS 8.1EG 8.12026-05-24
A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The at…
- CVE-2026-9409MEDIUMCVSS 4.3EG 4.32026-05-25
A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes impro…
- CVE-2026-9410MEDIUMCVSS 4.3EG 4.32026-05-25
A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument I…
- CVE-2026-9412MEDIUMCVSS 6.3EG 6.32026-05-25
A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remo…
- CVE-2026-9483MEDIUMCVSS 6.3EG 6.32026-05-25
A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student_id results in improper authorization. The attack ma…
- CVE-2026-9484MEDIUMCVSS 6.3EG 6.32026-05-25
A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of th…
- CVE-2026-9517HIGHCVSS 7.3EG 7.32026-05-26
A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulat…
- CVE-2026-9562HIGHCVSS 7.3EG 7.32026-05-26
A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access contro…
- CVE-2026-9579MEDIUMCVSS 6.3EG 6.32026-05-26
A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access c…
- CVE-2026-9580HIGHCVSS 7.3EG 7.32026-05-26
A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack …
- CVE-2026-9581MEDIUMCVSS 6.3EG 6.32026-05-26
A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is pub…
- CVE-2026-9604MEDIUMCVSS 4.3EG 4.32026-05-26
A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be ex…
- CVE-2026-9795HIGHCVSS 7.3EG 7.32026-05-28
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a cl…
Map vulnerabilities like CWE-266 to your infrastructure
EchelonGraph correlates every CVE — across CWE-266 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →