Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-266
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CVE-2026-2106 (GCVE-0-2026-2106)
Vulnerability from cvelistv5 – Published: 2026-02-07 17:32 – Updated: 2026-02-23 09:33
VLAI
Title
yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper authorization
Summary
A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.344682 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.344682 | signaturepermissions-required |
| https://vuldb.com/?submit.745516 | third-party-advisory |
| https://github.com/yeqifu/warehouse/issues/58 | issue-tracking |
| https://github.com/yeqifu/warehouse/issues/58#iss… | exploitissue-tracking |
| https://github.com/yeqifu/warehouse/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2106",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:58:48.480666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:00:08.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Notice Management"
],
"product": "warehouse",
"vendor": "yeqifu",
"versions": [
{
"status": "affected",
"version": "aaf29962ba407d22d991781de28796ee7b4670e4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AliceS614 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:33:32.862Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-344682 | yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.344682"
},
{
"name": "VDB-344682 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.344682"
},
{
"name": "Submit #745516 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.745516"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yeqifu/warehouse/issues/58"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/yeqifu/warehouse/issues/58#issue-3846664260"
},
{
"tags": [
"product"
],
"url": "https://github.com/yeqifu/warehouse/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-06T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-10T17:21:08.000Z",
"value": "VulDB entry last update"
}
],
"title": "yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2106",
"datePublished": "2026-02-07T17:32:06.820Z",
"dateReserved": "2026-02-06T14:16:00.975Z",
"dateUpdated": "2026-02-23T09:33:32.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2107 (GCVE-0-2026-2107)
Vulnerability from cvelistv5 – Published: 2026-02-07 18:32 – Updated: 2026-02-23 09:33
VLAI
Title
yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization
Summary
A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.344683 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.344683 | signaturepermissions-required |
| https://vuldb.com/?submit.745517 | third-party-advisory |
| https://github.com/yeqifu/warehouse/issues/59 | issue-tracking |
| https://github.com/yeqifu/warehouse/issues/59#iss… | exploitissue-tracking |
| https://github.com/yeqifu/warehouse/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2107",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T16:01:07.245721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:01:37.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Log Info Handler"
],
"product": "warehouse",
"vendor": "yeqifu",
"versions": [
{
"status": "affected",
"version": "aaf29962ba407d22d991781de28796ee7b4670e4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AliceS614 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:33:44.659Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-344683 | yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.344683"
},
{
"name": "VDB-344683 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.344683"
},
{
"name": "Submit #745517 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.745517"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yeqifu/warehouse/issues/59"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/yeqifu/warehouse/issues/59#issue-3846665806"
},
{
"tags": [
"product"
],
"url": "https://github.com/yeqifu/warehouse/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-06T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-11T09:10:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2107",
"datePublished": "2026-02-07T18:32:08.198Z",
"dateReserved": "2026-02-06T14:16:03.665Z",
"dateUpdated": "2026-02-23T09:33:44.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2109 (GCVE-0-2026-2109)
Vulnerability from cvelistv5 – Published: 2026-02-07 19:32 – Updated: 2026-02-23 09:34
VLAI
Title
jsbroks COCO Annotator Delete Category undo improper authorization
Summary
A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.344685 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.344685 | signaturepermissions-required |
| https://vuldb.com/?submit.745579 | third-party-advisory |
| https://github.com/nmmorette/vulnerability-resear… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jsbroks | COCO Annotator |
Affected:
0.11.0
Affected: 0.11.1 cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2109",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T16:08:22.493862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:08:40.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jsbroks:coco_annotator:*:*:*:*:*:*:*:*"
],
"modules": [
"Delete Category Handler"
],
"product": "COCO Annotator",
"vendor": "jsbroks",
"versions": [
{
"status": "affected",
"version": "0.11.0"
},
{
"status": "affected",
"version": "0.11.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "nmmorette (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:34:09.648Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.344685"
},
{
"name": "VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.344685"
},
{
"name": "Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.745579"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-06T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-08T00:50:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "jsbroks COCO Annotator Delete Category undo improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2109",
"datePublished": "2026-02-07T19:32:06.262Z",
"dateReserved": "2026-02-06T14:23:45.708Z",
"dateUpdated": "2026-02-23T09:34:09.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2141 (GCVE-0-2026-2141)
Vulnerability from cvelistv5 – Published: 2026-02-08 07:32 – Updated: 2026-02-23 09:39
VLAI
Title
WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization
Summary
A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.344776 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.344776 | signaturepermissions-required |
| https://vuldb.com/?submit.747264 | third-party-advisory |
| https://github.com/SourByte05/SourByte-Lab/issues/8 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WuKongOpenSource | WukongCRM |
Affected:
11.3.0
Affected: 11.3.1 Affected: 11.3.2 Affected: 11.3.3 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2141",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T21:17:15.462736Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T21:17:22.771Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"URL Handler"
],
"product": "WukongCRM",
"vendor": "WuKongOpenSource",
"versions": [
{
"status": "affected",
"version": "11.3.0"
},
{
"status": "affected",
"version": "11.3.1"
},
{
"status": "affected",
"version": "11.3.2"
},
{
"status": "affected",
"version": "11.3.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "sourbyte (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:39:32.564Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-344776 | WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.344776"
},
{
"name": "VDB-344776 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.344776"
},
{
"name": "Submit #747264 | \u90d1\u5dde\u5361\u5361\u7f57\u7279\u8f6f\u4ef6\u79d1\u6280\u6709\u9650\u516c\u53f8 WukongCRM WukongCRM-11.x-JAVA logical flaw vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.747264"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/SourByte05/SourByte-Lab/issues/8"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-06T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-09T07:43:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2141",
"datePublished": "2026-02-08T07:32:06.928Z",
"dateReserved": "2026-02-06T21:06:36.285Z",
"dateUpdated": "2026-02-23T09:39:32.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21425 (GCVE-0-2026-21425)
Vulnerability from cvelistv5 – Published: 2026-03-04 12:15 – Updated: 2026-03-05 04:55
VLAI
Summary
Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an incorrect privilege assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-sg/00043245… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerScale OneFS |
Affected:
prior to 9.10.1.6 , < 9.10.1.6 or later
(semver)
Affected: 9.11.0.0 through 9.12.0.1 , < 9.13.0.0 or later (semver) |
Date Public
2026-02-24 18:30
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T04:55:37.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerScale OneFS",
"vendor": "Dell",
"versions": [
{
"lessThan": "9.10.1.6 or later",
"status": "affected",
"version": "prior to 9.10.1.6",
"versionType": "semver"
},
{
"lessThan": "9.13.0.0 or later",
"status": "affected",
"version": "9.11.0.0 through 9.12.0.1",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-24T18:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an incorrect privilege assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.\u003cbr\u003e"
}
],
"value": "Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an incorrect privilege assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T12:36:13.767Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-sg/000432452/dsa-2026-038-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2026-21425",
"datePublished": "2026-03-04T12:15:34.236Z",
"dateReserved": "2025-12-24T16:33:47.095Z",
"dateUpdated": "2026-03-05T04:55:37.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2206 (GCVE-0-2026-2206)
Vulnerability from cvelistv5 – Published: 2026-02-08 01:09 – Updated: 2026-02-23 09:54 X_Open Source
VLAI
Title
WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control
Summary
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.344920 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.344920 | signaturepermissions-required |
| https://vuldb.com/?submit.752162 | third-party-advisory |
| https://github.com/wekan/wekan/commit/4ce181d1724… | patch |
| https://github.com/wekan/wekan/releases/tag/v8.21 | patch |
| https://github.com/wekan/wekan/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | WeKan |
Affected:
8.0
Affected: 8.1 Affected: 8.2 Affected: 8.3 Affected: 8.4 Affected: 8.5 Affected: 8.6 Affected: 8.7 Affected: 8.8 Affected: 8.9 Affected: 8.10 Affected: 8.11 Affected: 8.12 Affected: 8.13 Affected: 8.14 Affected: 8.15 Affected: 8.16 Affected: 8.17 Affected: 8.18 Affected: 8.19 Affected: 8.20 Unaffected: 8.21 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T19:38:54.022899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T19:39:08.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Administrative Repair Handler"
],
"product": "WeKan",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "8.0"
},
{
"status": "affected",
"version": "8.1"
},
{
"status": "affected",
"version": "8.2"
},
{
"status": "affected",
"version": "8.3"
},
{
"status": "affected",
"version": "8.4"
},
{
"status": "affected",
"version": "8.5"
},
{
"status": "affected",
"version": "8.6"
},
{
"status": "affected",
"version": "8.7"
},
{
"status": "affected",
"version": "8.8"
},
{
"status": "affected",
"version": "8.9"
},
{
"status": "affected",
"version": "8.10"
},
{
"status": "affected",
"version": "8.11"
},
{
"status": "affected",
"version": "8.12"
},
{
"status": "affected",
"version": "8.13"
},
{
"status": "affected",
"version": "8.14"
},
{
"status": "affected",
"version": "8.15"
},
{
"status": "affected",
"version": "8.16"
},
{
"status": "affected",
"version": "8.17"
},
{
"status": "affected",
"version": "8.18"
},
{
"status": "affected",
"version": "8.19"
},
{
"status": "affected",
"version": "8.20"
},
{
"status": "unaffected",
"version": "8.21"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "MegaManSec (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:54:07.822Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-344920 | WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.344920"
},
{
"name": "VDB-344920 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.344920"
},
{
"name": "Submit #752162 | Wekan \u003c8.21 Improper access control on administrative repair method",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.752162"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wekan/wekan/commit/4ce181d17249778094f73d21515f7f863f554743"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wekan/wekan/releases/tag/v8.21"
},
{
"tags": [
"product"
],
"url": "https://github.com/wekan/wekan/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-02-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-08T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-12T08:47:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2206",
"datePublished": "2026-02-08T01:09:36.037Z",
"dateReserved": "2026-02-08T01:06:06.190Z",
"dateUpdated": "2026-02-23T09:54:07.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22069 (GCVE-0-2026-22069)
Vulnerability from cvelistv5 – Published: 2026-05-19 02:47 – Updated: 2026-06-29 11:56
VLAI
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-06-29T11:56:05.068Z",
"orgId": "7f2b1ad8-5432-4d64-91a1-9099af1cc695",
"shortName": "OPPO"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7f2b1ad8-5432-4d64-91a1-9099af1cc695",
"assignerShortName": "OPPO",
"cveId": "CVE-2026-22069",
"datePublished": "2026-05-19T02:47:20.980Z",
"dateRejected": "2026-06-29T11:56:05.068Z",
"dateReserved": "2026-01-06T06:15:53.763Z",
"dateUpdated": "2026-06-29T11:56:05.068Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22078 (GCVE-0-2026-22078)
Vulnerability from cvelistv5 – Published: 2026-06-29 08:05 – Updated: 2026-06-29 11:53
VLAI
Title
O+ Connect's lack of authentication for IPC channels led to a local privilege escalation vulnerability.
Summary
Because O+ Connect's IPC service does not authenticate clients, external applications can escalate privileges and perform sensitive actions through the IPC channel.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect privilege assignment
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OPPO | O+ Connect |
Affected:
16.0.33
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T11:53:04.056229Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T11:53:21.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "O+ Connect",
"vendor": "OPPO",
"versions": [
{
"status": "affected",
"version": "16.0.33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Because O+ Connect\u0027s IPC service does not authenticate clients, external applications can escalate privileges and perform sensitive actions through the IPC channel."
}
],
"value": "Because O+ Connect\u0027s IPC service does not authenticate clients, external applications can escalate privileges and perform sensitive actions through the IPC channel."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect privilege assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T11:52:51.499Z",
"orgId": "7f2b1ad8-5432-4d64-91a1-9099af1cc695",
"shortName": "OPPO"
},
"references": [
{
"url": "https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2070415238859333632"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "O+ Connect\u0027s lack of authentication for IPC channels led to a local privilege escalation vulnerability.",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7f2b1ad8-5432-4d64-91a1-9099af1cc695",
"assignerShortName": "OPPO",
"cveId": "CVE-2026-22078",
"datePublished": "2026-06-29T08:05:49.776Z",
"dateReserved": "2026-01-06T06:15:53.765Z",
"dateUpdated": "2026-06-29T11:53:21.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2209 (GCVE-0-2026-2209)
Vulnerability from cvelistv5 – Published: 2026-02-08 01:14 – Updated: 2026-02-23 09:54 X_Open Source
VLAI
Title
WeKan Custom Translation translationBody.js setCreateTranslation improper authorization
Summary
A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotely. Upgrading to version 8.19 is sufficient to fix this issue. The patch is identified as f244a43771f6ebf40218b83b9f46dba6b940d7de. It is suggested to upgrade the affected component.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.344923 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.344923 | signaturepermissions-required |
| https://vuldb.com/?submit.752269 | third-party-advisory |
| https://github.com/wekan/wekan/commit/f244a43771f… | patch |
| https://github.com/wekan/wekan/releases/tag/v8.19 | patch |
| https://github.com/wekan/wekan/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | WeKan |
Affected:
8.0
Affected: 8.1 Affected: 8.2 Affected: 8.3 Affected: 8.4 Affected: 8.5 Affected: 8.6 Affected: 8.7 Affected: 8.8 Affected: 8.9 Affected: 8.10 Affected: 8.11 Affected: 8.12 Affected: 8.13 Affected: 8.14 Affected: 8.15 Affected: 8.16 Affected: 8.17 Affected: 8.18 Unaffected: 8.19 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T19:43:12.695364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T19:43:24.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Custom Translation Handler"
],
"product": "WeKan",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "8.0"
},
{
"status": "affected",
"version": "8.1"
},
{
"status": "affected",
"version": "8.2"
},
{
"status": "affected",
"version": "8.3"
},
{
"status": "affected",
"version": "8.4"
},
{
"status": "affected",
"version": "8.5"
},
{
"status": "affected",
"version": "8.6"
},
{
"status": "affected",
"version": "8.7"
},
{
"status": "affected",
"version": "8.8"
},
{
"status": "affected",
"version": "8.9"
},
{
"status": "affected",
"version": "8.10"
},
{
"status": "affected",
"version": "8.11"
},
{
"status": "affected",
"version": "8.12"
},
{
"status": "affected",
"version": "8.13"
},
{
"status": "affected",
"version": "8.14"
},
{
"status": "affected",
"version": "8.15"
},
{
"status": "affected",
"version": "8.16"
},
{
"status": "affected",
"version": "8.17"
},
{
"status": "affected",
"version": "8.18"
},
{
"status": "unaffected",
"version": "8.19"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "MegaManSec (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotely. Upgrading to version 8.19 is sufficient to fix this issue. The patch is identified as f244a43771f6ebf40218b83b9f46dba6b940d7de. It is suggested to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:54:44.601Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-344923 | WeKan Custom Translation translationBody.js setCreateTranslation improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.344923"
},
{
"name": "VDB-344923 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.344923"
},
{
"name": "Submit #752269 | Wekan \u003c8.20 IDOR in setCreateTranslation. Non-admin could change Custom Tran",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.752269"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wekan/wekan/commit/f244a43771f6ebf40218b83b9f46dba6b940d7de"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wekan/wekan/releases/tag/v8.19"
},
{
"tags": [
"product"
],
"url": "https://github.com/wekan/wekan/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-02-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-08T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-12T08:47:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "WeKan Custom Translation translationBody.js setCreateTranslation improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2209",
"datePublished": "2026-02-08T01:14:34.308Z",
"dateReserved": "2026-02-08T01:14:09.539Z",
"dateUpdated": "2026-02-23T09:54:44.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22267 (GCVE-0-2026-22267)
Vulnerability from cvelistv5 – Published: 2026-02-19 09:16 – Updated: 2026-02-26 14:44
VLAI
Summary
Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00042977… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerProtect Data Manager |
Affected:
N/A , < 19.22.0-24 or later
(semver)
|
Date Public
2026-02-17 18:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-21T04:56:32.486024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T14:44:14.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerProtect Data Manager",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.22.0-24 or later",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "other",
"value": "Dell would like to thank brocked200 (Nguyen Quoc Khanh) for reporting these issues."
}
],
"datePublic": "2026-02-17T18:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.\u003cbr\u003e"
}
],
"value": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T09:16:54.151Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2026-22267",
"datePublished": "2026-02-19T09:16:54.151Z",
"dateReserved": "2026-01-07T06:43:46.536Z",
"dateUpdated": "2026-02-26T14:44:14.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-1
Phases: Architecture and Design, Operation
Description:
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.