Cyber Resilience

CVE-2026-3262

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3262 is a medium-severity EAR (CWE-698) vulnerability in Go2Ismail Asp.Net-Core-Inventory-Order-Management-System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-3262 is a vulnerability in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to version 9.20250118. It affects an unknown function of the Administrative Interface component, where such manipulation leads to execution after redirect. The issue is associated with CWE-698 and CWE-705, carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables a remote attack by an authenticated user with low privileges. Exploitation requires low complexity and no user interaction, allowing the attacker to achieve low-level impacts on confidentiality, integrity, and availability.

Advisories detail the issue as privilege escalation via client-side redirect bypass and are available via GitHub and VulDB references. The vendor was contacted early about the disclosure but did not respond, and no patches or mitigations are specified in the available information. The exploit has been publicly disclosed and may be used.

EU & UK References

Vulnerability details

A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been disclosed to…

more

the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a client-side redirect bypass in the administrative interface that enables an authenticated low-privileged user to escalate privileges (CWE-698/705), directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3263Same product: Go2Ismail Asp.Net-Core-Inventory-Order-Management-System
CVE-2026-3264Same vendor: Go2Ismail
CVE-2026-3265Same vendor: Go2Ismail
CVE-2025-6967Shared CWE-698
CVE-2026-2699Shared CWE-698
CVE-2025-8350Shared CWE-698

Affected Assets

go2ismail
asp.net-core-inventory-order-management-system
≤ 9.20250118

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces server-side access decisions on the Administrative Interface, blocking unauthorized execution that bypasses client-side redirects.

prevent

Restricts low-privilege authenticated users from reaching privileged functions even if a redirect bypass succeeds.

prevent

Validates redirect-related inputs and parameters to prevent malicious client-side redirect manipulation.

References