Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1913 vulnerabilities reference this CWE, most recent first.

GHSA-MXCH-2CPM-8XJW

Vulnerability from github – Published: 2025-04-14 12:30 – Updated: 2025-04-14 12:30
VLAI
Details

A vulnerability classified as problematic has been found in huanfenz/code-projects StudentManager up to 1.0. This affects an unknown part of the component Teacher String Handler. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-14T12:15:16Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in huanfenz/code-projects StudentManager up to 1.0. This affects an unknown part of the component Teacher String Handler. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-mxch-2cpm-8xjw",
  "modified": "2025-04-14T12:30:37Z",
  "published": "2025-04-14T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/buluorifu/Vulnerability-recurrence/blob/main/Refer/StudentManager-authority.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.304605"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.304605"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.549309"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MXM9-6HJ4-G563

Vulnerability from github – Published: 2026-03-08 15:30 – Updated: 2026-03-08 15:30
VLAI
Details

A vulnerability was identified in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the component Financial Report Page. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-08T14:15:54Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the component Financial Report Page. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.",
  "id": "GHSA-mxm9-6hj4-g563",
  "modified": "2026-03-08T15:30:30Z",
  "published": "2026-03-08T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hiranerakkot/Pet-Grooming-Software/blob/main/Vulnerability_2.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.349716"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.349716"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.767321"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P2QQ-M885-CM42

Vulnerability from github – Published: 2026-05-01 00:31 – Updated: 2026-05-01 00:31
VLAI
Details

A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 3.9.0 mitigates this issue. Patch name: 406022e79f4a18b3070a446712080571eff11e30. You should upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T23:16:20Z",
    "severity": "MODERATE"
  },
  "details": "A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 3.9.0 mitigates this issue. Patch name: 406022e79f4a18b3070a446712080571eff11e30. You should upgrade the affected component.",
  "id": "GHSA-p2qq-m885-cm42",
  "modified": "2026-05-01T00:31:28Z",
  "published": "2026-05-01T00:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7505"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw/issues/866"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw/pull/950"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw/commit/406022e79f4a18b3070a446712080571eff11e30"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw/releases/tag/v3.9.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/803458"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/360314"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/360314/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P3FV-JQ23-QG6F

Vulnerability from github – Published: 2026-01-04 03:30 – Updated: 2026-01-04 03:30
VLAI
Details

A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-04T02:15:41Z",
    "severity": "MODERATE"
  },
  "details": "A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\UserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified.",
  "id": "GHSA-p3fv-jq23-qg6f",
  "modified": "2026-01-04T03:30:27Z",
  "published": "2026-01-04T03:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/5i1encee/Vul/blob/main/Vertical_privilege_escalation_Vulnerability_in_Project_yeqifu_warehouse.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/5i1encee/Vul/blob/main/Vertical_privilege_escalation_Vulnerability_in_Project_yeqifu_warehouse.md#poc"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.339458"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.339458"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.729374"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P3QF-G93W-J952

Vulnerability from github – Published: 2025-09-26 00:31 – Updated: 2025-09-26 00:31
VLAI
Details

A vulnerability was detected in JeecgBoot up to 3.8.2. This impacts an unknown function of the file /sys/tenant/exportXls. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-26T00:15:37Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was detected in JeecgBoot up to 3.8.2. This impacts an unknown function of the file /sys/tenant/exportXls. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-p3qf-g93w-j952",
  "modified": "2025-09-26T00:31:19Z",
  "published": "2025-09-26T00:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10981"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325852"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325852"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.653341"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/19063356"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P3RQ-F799-8PW3

Vulnerability from github – Published: 2024-11-01 12:30 – Updated: 2024-11-05 09:30
VLAI
Details

A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-01T12:15:03Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-p3rq-f799-8pw3",
  "modified": "2024-11-05T09:30:37Z",
  "published": "2024-11-01T12:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10654"
    },
    {
      "type": "WEB",
      "url": "https://github.com/c0nyy/IoT_vuln/blob/main/TOTOLINK%20LR350%20Vuln.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.282667"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.282667"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.434801"
    },
    {
      "type": "WEB",
      "url": "https://www.totolink.net"
    },
    {
      "type": "WEB",
      "url": "https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/231/ids/36.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P43R-VVQQ-VQCJ

Vulnerability from github – Published: 2025-01-24 18:31 – Updated: 2025-01-24 18:31
VLAI
Details

IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to a file level local denial of service caused by an insufficient authority requirement. A local non-privileged user can configure a referential constraint with the privileges of a user socially engineered to access the target file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-24T18:15:31Z",
    "severity": "LOW"
  },
  "details": "IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to a file level local denial of service caused by an insufficient authority requirement. A local non-privileged user can configure a referential constraint with the privileges of a user socially engineered to access the target file.",
  "id": "GHSA-p43r-vvqq-vqcj",
  "modified": "2025-01-24T18:31:13Z",
  "published": "2025-01-24T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35122"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7178317"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P56J-X44H-G66J

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-12-22 15:00
VLAI
Summary
Incorrect Privilege Assignment in Jenkins Script Security Plugin
Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.61"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:script-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.62"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-704"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T22:57:34Z",
    "nvd_published_at": "2019-07-31T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts.",
  "id": "GHSA-p56j-x44h-g66j",
  "modified": "2023-12-22T15:00:19Z",
  "published": "2022-05-24T16:51:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/script-security-plugin/commit/5dc2e2465f309c772237a4b2de9caf61ba9b585b"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2594"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2651"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2662"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/script-security-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/07/31/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Privilege Assignment in Jenkins Script Security Plugin"
}

GHSA-P5F2-H5FV-XRRX

Vulnerability from github – Published: 2024-10-10 00:31 – Updated: 2024-10-11 21:31
VLAI
Details

The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to bypass 2FA by interacting with the /rest endpoint of Jira, Confluence, or Bitbucket. In the default configuration, /rest is allowlisted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-10T00:15:02Z",
    "severity": "MODERATE"
  },
  "details": "The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to bypass 2FA by interacting with the /rest endpoint of Jira, Confluence, or Bitbucket. In the default configuration, /rest is allowlisted.",
  "id": "GHSA-p5f2-h5fv-xrrx",
  "modified": "2024-10-11T21:31:34Z",
  "published": "2024-10-10T00:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48941"
    },
    {
      "type": "WEB",
      "url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/3236560898/2024-09-16+-+Secure+Login+security+advisory+-+Insecure+default+configuration"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P668-4PCG-FGMF

Vulnerability from github – Published: 2026-02-06 00:30 – Updated: 2026-02-06 00:30
VLAI
Details

A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T22:15:53Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component.",
  "id": "GHSA-p668-4pcg-fgmf",
  "modified": "2026-02-06T00:30:26Z",
  "published": "2026-02-06T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan/commit/545566f5663545d16174e0f2399f231aa693ab6e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan/releases/tag/v8.21"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344486"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344486"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.742680"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.