CWE-266 (Incorrect Privilege Assignment) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-10876 | 2026-06-05 | A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper … |
| CVE-2025-15656 | 2026-06-03 | Incorrect Privilege Assignment vulnerability in Mojoomla School Management allows Privilege Escalation. This issue affects School Management: from n/a through 93.2.0. |
| CVE-2026-10693 | 2026-06-03 | A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. Th… |
| CVE-2025-53209 | 2026-06-02 | Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation. This issue affects Masteriyo LMS PRO: from n/a through 2.20.0. |
| CVE-2026-10294 | 2026-06-01 | A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function g_file_test of the file src/pk-transaction.c of the component API. Such manipulation of the argument frontend-socket … |
| CVE-2026-10285 | 2026-06-01 | A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.ph… |
| CVE-2026-10284 | 2026-06-01 | A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/… |
| CVE-2026-10282 | 2026-06-01 | A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to impr… |
| CVE-2026-10277 | 2026-06-01 | A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gm… |
| CVE-2026-10272 | 2026-06-01 | A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such mani… |
| CVE-2026-10269 | 2026-06-01 | A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The m… |
| CVE-2026-48879 | 2026-06-01 | Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17. |
| CVE-2026-42680 | 2026-06-01 | Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through 2… |
| CVE-2026-10255 | 2026-06-01 | A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function sell_statement of the file application/controllers/ShowForm.php… |
| CVE-2026-10236 | 2026-06-01 | A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management … |
| CVE-2026-10218 | 2026-06-01 | A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorizatio… |
| CVE-2026-10217 | 2026-06-01 | A flaw has been found in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipula… |
| CVE-2026-10215 | 2026-06-01 | A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component L… |
| CVE-2026-10152 | 2026-05-30 | A vulnerability was detected in TaleLin lin-cms-spring-boot up to 0.2.1. This issue affects some unknown processing of the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.jav… |
| CVE-2026-10070 | 2026-05-29 | A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results i… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Relationships |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Potential_Mitigations |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Potential_Mitigations |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations, References |
| 2014-02-18 | CWE Content Team | 2.6 | — | updated Applicable_Platforms, Demonstrative_Examples |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Causal_Nature, Modes_of_Introduction, References, Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Relationships, Taxonomy_Mappings |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Demonstrative_Examples |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated References |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships |