CVE-2026-3265HIGH 8.8EPSS p36.1%

CVE-2026-3265CVE-2026-3265

Description

A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.1% · 2026-06-18T12:00:27Z
Published2026-02-26
Last modified2026-04-29

Underlying weaknesses· 2

CWE-266CWE-285

References

  1. https://github.com/Ghufran2/CVE-Free-CRM-Advisories/blob/main/Free-CRM%20IDOR.md
  2. https://vuldb.com/?ctiid.347988
  3. https://vuldb.com/?id.347988
  4. https://vuldb.com/?submit.758338

2

TypeTargetConfidenceTier
WeaknessIncorrect Privilege Assignmentcwe-2660%live
WeaknessImproper Authorizationcwe-2850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-3264
CVE
CVE-2026-3263
CVE
CVE-2026-3262
CVE
CVE-2026-3794
CVE
CVE-2026-2174
CVE
CVE-2026-29189
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.