Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1917 vulnerabilities reference this CWE, most recent first.

GHSA-J55V-W58W-8MXC

Vulnerability from github – Published: 2026-07-07 06:31 – Updated: 2026-07-07 06:31
VLAI
Details

An Incorrect Privilege Assignment (CWE-266) vulnerability in the Command Centre Server allows an authenticated operator with limited privileges to perform some operations that they would not normally be authorized to perform. Version of Command Centre affected: 9.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T05:16:50Z",
    "severity": "MODERATE"
  },
  "details": "An\u00a0Incorrect Privilege Assignment (CWE-266)\u00a0vulnerability in\u00a0the Command Centre Server\u00a0allows an\u00a0authenticated operator with limited privileges\u00a0to perform some operations that they would not normally be authorized to perform.\u00a0Version of Command Centre affected:\u00a09.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.",
  "id": "GHSA-j55v-w58w-8mxc",
  "modified": "2026-07-07T06:31:24Z",
  "published": "2026-07-07T06:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26053"
    },
    {
      "type": "WEB",
      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-26053"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J57C-VPQ3-6X56

Vulnerability from github – Published: 2024-12-18 21:30 – Updated: 2026-04-01 18:32
VLAI
Details

Incorrect Privilege Assignment vulnerability in wpweb WooCommerce PDF Vouchers allows Privilege Escalation.This issue affects WooCommerce PDF Vouchers: from n/a before 4.9.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T19:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect Privilege Assignment vulnerability in wpweb WooCommerce PDF Vouchers allows Privilege Escalation.This issue affects WooCommerce PDF Vouchers: from n/a before 4.9.9.",
  "id": "GHSA-j57c-vpq3-6x56",
  "modified": "2026-04-01T18:32:52Z",
  "published": "2024-12-18T21:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54383"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/woocommerce-pdf-vouchers/vulnerability/wordpress-woocommerce-pdf-vouchers-plugin-4-9-9-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J584-J2VJ-3F93

Vulnerability from github – Published: 2024-06-20 16:19 – Updated: 2025-02-05 21:20
VLAI
Summary
XWiki Platform allows remote code execution from user account
Details

Impact

When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account.

To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add {{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}. As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show attacker - Hello from Groovy! then the instance is vulnerable.

Patches

This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

Workarounds

We're not aware of any workaround except upgrading.

References

  • https://jira.xwiki.org/browse/XWIKI-21611
  • https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 13.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.4.7"
            },
            {
              "fixed": "14.10.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.10.3"
            },
            {
              "fixed": "14.10.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0-rc-1"
            },
            {
              "fixed": "15.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.6-rc-1"
            },
            {
              "fixed": "15.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-rc-1"
            },
            {
              "fixed": "16.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-37899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-20T16:19:14Z",
    "nvd_published_at": "2024-06-20T23:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nWhen an admin disables a user account, the user\u0027s profile is executed with the admin\u0027s rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account.\n\nTo reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger(\"attacker\").error(\"Hello from Groovy!\"){{/groovy}}`.\nAs an admin, go to the user profile and click the \"Disable this account\" button.\nThen, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable.\n\n### Patches\nThis has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.\n\n### Workarounds\nWe\u0027re not aware of any workaround except upgrading.\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-21611\n* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
  "id": "GHSA-j584-j2vj-3f93",
  "modified": "2025-02-05T21:20:52Z",
  "published": "2024-06-20T16:19:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37899"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/046c36519a2df392c922c16d0d38472b98c414d0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/233b08b26580df4b7a595882dac65ed4e4a2419c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/2b55c29562ccd20f8f0f85075f0c95b4ee9cd9be"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/f8409419c5d0ddefe1bee55e73629a54275fa735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-21611"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform allows remote code execution from user account"
}

GHSA-J5M3-H4XF-6RR9

Vulnerability from github – Published: 2025-09-05 15:31 – Updated: 2026-04-01 18:36
VLAI
Details

Incorrect Privilege Assignment vulnerability in John Luetke Media Author allows Privilege Escalation. This issue affects Media Author: from n/a through 1.0.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T14:15:57Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect Privilege Assignment vulnerability in John Luetke Media Author allows Privilege Escalation. This issue affects Media Author: from n/a through 1.0.4.",
  "id": "GHSA-j5m3-h4xf-6rr9",
  "modified": "2026-04-01T18:36:05Z",
  "published": "2025-09-05T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58841"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/media-author/vulnerability/wordpress-media-author-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J646-J4CF-JJ5H

Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-01 18:35
VLAI
Details

Incorrect Privilege Assignment vulnerability in pebas CouponXL allows Privilege Escalation. This issue affects CouponXL: from n/a through 4.5.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-23T13:15:30Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect Privilege Assignment vulnerability in pebas CouponXL allows Privilege Escalation. This issue affects CouponXL: from n/a through 4.5.0.",
  "id": "GHSA-j646-j4cf-jj5h",
  "modified": "2026-04-01T18:35:14Z",
  "published": "2025-05-23T15:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39489"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/couponxl/vulnerability/wordpress-couponxl-4-5-0-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J6M2-HPV6-29C4

Vulnerability from github – Published: 2026-06-01 06:30 – Updated: 2026-06-01 06:30
VLAI
Details

A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project tagged the reported issue as bug.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T04:16:20Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project tagged the reported issue as bug.",
  "id": "GHSA-j6m2-hpv6-29c4",
  "modified": "2026-06-01T06:30:25Z",
  "published": "2026-06-01T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10218"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw/issues/1120"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-10218"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/821938"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/367497"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/367497/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J6Q4-MVCW-HPGM

Vulnerability from github – Published: 2026-01-19 09:30 – Updated: 2026-02-23 09:31
VLAI
Details

A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-19T07:16:22Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.",
  "id": "GHSA-j6q4-mvcw-hpgm",
  "modified": "2026-02-23T09:31:21Z",
  "published": "2026-01-19T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1141"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul"
    },
    {
      "type": "WEB",
      "url": "https://phpgurukul.com"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.341733"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.341733"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.735483"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.736668"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J79V-M8QF-H9JX

Vulnerability from github – Published: 2025-09-26 00:31 – Updated: 2025-09-26 00:31
VLAI
Details

A weakness has been identified in JeecgBoot up to 3.8.2. The impacted element is an unknown function of the file /sys/role/exportXls. This manipulation causes improper authorization. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-25T23:15:48Z",
    "severity": "MODERATE"
  },
  "details": "A weakness has been identified in JeecgBoot up to 3.8.2. The impacted element is an unknown function of the file /sys/role/exportXls. This manipulation causes improper authorization. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-j79v-m8qf-h9jx",
  "modified": "2025-09-26T00:31:19Z",
  "published": "2025-09-26T00:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10979"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325850"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325850"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.653337"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/19063353"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J7J8-2M3C-HF7J

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 21:31
VLAI
Details

Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T17:17:04Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through \u003c= 1.0.4.",
  "id": "GHSA-j7j8-2m3c-hf7j",
  "modified": "2026-03-26T21:31:25Z",
  "published": "2026-03-25T18:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32520"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/rewardswp/vulnerability/wordpress-rewardswp-plugin-1-0-4-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J824-HJ46-XVFV

Vulnerability from github – Published: 2026-06-05 18:31 – Updated: 2026-06-05 18:31
VLAI
Details

A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T16:16:41Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-j824-hj46-xvfv",
  "modified": "2026-06-05T18:31:39Z",
  "published": "2026-06-05T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11336"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tittuvarghese/CollegeManagementSystem/issues/5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tittuvarghese/CollegeManagementSystem"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-11336"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/832582"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/368874"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/368874/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.