CVE-2026-3262
Published: 26 February 2026
Summary
CVE-2026-3262 is a medium-severity EAR (CWE-698) vulnerability in Go2Ismail Asp.Net-Core-Inventory-Order-Management-System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-3262 is a vulnerability in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to version 9.20250118. It affects an unknown function of the Administrative Interface component, where such manipulation leads to execution after redirect. The issue is associated with CWE-698 and CWE-705, carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables a remote attack by an authenticated user with low privileges. Exploitation requires low complexity and no user interaction, allowing the attacker to achieve low-level impacts on confidentiality, integrity, and availability.
Advisories detail the issue as privilege escalation via client-side redirect bypass and are available via GitHub and VulDB references. The vendor was contacted early about the disclosure but did not respond, and no patches or mitigations are specified in the available information. The exploit has been publicly disclosed and may be used.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8903
Vulnerability details
A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been disclosed to…
more
the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a client-side redirect bypass in the administrative interface that enables an authenticated low-privileged user to escalate privileges (CWE-698/705), directly mapping to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces server-side access decisions on the Administrative Interface, blocking unauthorized execution that bypasses client-side redirects.
Restricts low-privilege authenticated users from reaching privileged functions even if a redirect bypass succeeds.
Validates redirect-related inputs and parameters to prevent malicious client-side redirect manipulation.