Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1915 vulnerabilities reference this CWE, most recent first.

GHSA-8W8V-R4XJ-J99J

Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2026-04-01 18:31
VLAI
Details

Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T09:15:21Z",
    "severity": "HIGH"
  },
  "details": "Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8.",
  "id": "GHSA-8w8v-r4xj-j99j",
  "modified": "2026-04-01T18:31:46Z",
  "published": "2024-05-17T09:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22145"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8WJ2-XX8C-CQ7R

Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2026-01-20 15:31
VLAI
Details

Incorrect Privilege Assignment vulnerability in pebas CouponXxL couponxxl allows Privilege Escalation.This issue affects CouponXxL: from n/a through <= 3.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T15:15:59Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Privilege Assignment vulnerability in pebas CouponXxL couponxxl allows Privilege Escalation.This issue affects CouponXxL: from n/a through \u003c= 3.0.0.",
  "id": "GHSA-8wj2-xx8c-cq7r",
  "modified": "2026-01-20T15:31:30Z",
  "published": "2025-10-22T15:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60220"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/couponxxl/vulnerability/wordpress-couponxxl-theme-3-0-0-privilege-escalation-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Theme/couponxxl/vulnerability/wordpress-couponxxl-theme-3-0-0-privilege-escalation-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Theme/couponxxl/vulnerability/wordpress-couponxxl-theme-3-0-0-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8WJX-FW8F-7FVV

Vulnerability from github – Published: 2025-09-04 12:30 – Updated: 2025-09-04 12:30
VLAI
Details

A security flaw has been discovered in elunez eladmin 1.1. Impacted is the function deleteFile of the component LocalStorageController. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be exploited.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T10:42:38Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in elunez eladmin 1.1. Impacted is the function deleteFile of the component LocalStorageController. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be exploited.",
  "id": "GHSA-8wjx-fw8f-7fvv",
  "modified": "2025-09-04T12:30:43Z",
  "published": "2025-09-04T12:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9937"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.322339"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.322339"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.643392"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/19063329"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9268-XRMF-PFRG

Vulnerability from github – Published: 2025-10-27 21:30 – Updated: 2025-10-27 21:30
VLAI
Details

A vulnerability has been found in dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b. This affects the function alipayIsSucceed of the file PayController.java of the component Order Status Handler. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T19:16:01Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b. This affects the function alipayIsSucceed of the file PayController.java of the component Order Status Handler. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-9268-xrmf-pfrg",
  "modified": "2025-10-27T21:30:26Z",
  "published": "2025-10-27T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12304"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Hwwg/cve/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.329976"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.329976"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.676283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-929F-P9P7-FX8X

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-27 18:31
VLAI
Details

Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Privilege Escalation.This issue affects RegistrationMagic: from n/a through <= 6.0.7.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T17:16:37Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Privilege Escalation.This issue affects RegistrationMagic: from n/a through \u003c= 6.0.7.1.",
  "id": "GHSA-929f-p9p7-fx8x",
  "modified": "2026-03-27T18:31:24Z",
  "published": "2026-03-25T18:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24373"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/custom-registration-form-builder-with-submission-manager/vulnerability/wordpress-registrationmagic-plugin-6-0-7-1-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92RJ-4RQF-4MG5

Vulnerability from github – Published: 2024-09-22 09:30 – Updated: 2024-09-22 09:30
VLAI
Details

A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Users.phpf=save of the component User Creation Handler. The manipulation of the argument type with the input 1 leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-22T08:15:02Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Users.phpf=save of the component User Creation Handler. The manipulation of the argument type with the input 1 leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-92rj-4rqf-4mg5",
  "modified": "2024-09-22T09:30:49Z",
  "published": "2024-09-22T09:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/41lai/cve/blob/main/add.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.278252"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.278252"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.411565"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-93H2-436Q-PCQF

Vulnerability from github – Published: 2026-05-10 09:31 – Updated: 2026-05-11 15:32
VLAI
Details

A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-10T09:16:31Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-93h2-436q-pcqf",
  "modified": "2026-05-11T15:32:10Z",
  "published": "2026-05-10T09:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8241"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/0xb1lal/6f3f050f08cff569ecbde586e63c6bea"
    },
    {
      "type": "WEB",
      "url": "https://hawktrace.com/blog/caniaserp"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/808270"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/362457"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/362457/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-94RM-RQ6H-H95X

Vulnerability from github – Published: 2024-11-20 15:30 – Updated: 2024-11-20 15:30
VLAI
Details

Improper Privilege Management vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Privilege Escalation.This issue affects upKeeper Instant Privilege Access: before 1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-20T14:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Privilege Management vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Privilege Escalation.This issue affects upKeeper Instant Privilege Access: before 1.2.",
  "id": "GHSA-94rm-rq6h-h95x",
  "modified": "2024-11-20T15:30:52Z",
  "published": "2024-11-20T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9479"
    },
    {
      "type": "WEB",
      "url": "https://support.upkeeper.se/hc/en-us/articles/17007729905436-CVE-2024-9479-Improper-Privilege-Management-Subprocess"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-952R-63WR-G75F

Vulnerability from github – Published: 2026-07-18 15:31 – Updated: 2026-07-18 15:31
VLAI
Details

A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file internal/tools/exec_approval.go. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-16121"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-18T15:17:32Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file internal/tools/exec_approval.go. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.",
  "id": "GHSA-952r-63wr-g75f",
  "modified": "2026-07-18T15:31:50Z",
  "published": "2026-07-18T15:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-16121"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw/issues/1206"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw/issues/1214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-16121"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/856827"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/379830"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/379830/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-95H9-6HV2-WR74

Vulnerability from github – Published: 2025-08-20 09:30 – Updated: 2026-04-01 18:35
VLAI
Details

Incorrect Privilege Assignment vulnerability in DELUCKS DELUCKS SEO allows Privilege Escalation. This issue affects DELUCKS SEO: from n/a through 2.6.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-20T08:15:32Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Privilege Assignment vulnerability in DELUCKS DELUCKS SEO allows Privilege Escalation. This issue affects DELUCKS SEO: from n/a through 2.6.0.",
  "id": "GHSA-95h9-6hv2-wr74",
  "modified": "2026-04-01T18:35:53Z",
  "published": "2025-08-20T09:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48165"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/delucks-seo/vulnerability/wordpress-delucks-seo-plugin-2-6-0-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.