CVE-2026-3264

MediumPublic PoC

Published: 26 February 2026

Published

26 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0009 26.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3264 is a medium-severity EAR (CWE-698) vulnerability in Go2Ismail Free-Crm. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is explicitly described as enabling privilege escalation via client-side redirect authorization bypass (CWE-698/705) in the administrative interface, directly matching T1068 Exploitation for Privilege Escalation. No other techniques are directly facilitated by the described flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Executing a manipulation can lead to execution after redirect. The attack can be executed remotely. The exploit…

has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-3264 is a vulnerability in go2ismail Free-CRM up to commit b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1, affecting some unknown functionality of the Administrative Interface component. The issue enables execution after redirect, associated with CWE-698 and CWE-705, and carries a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

A remote attacker with low privileges can exploit this vulnerability in an attack scenario requiring low complexity and no user interaction. Successful exploitation leads to low-level impacts on confidentiality, integrity, and availability, with the exploit publicly disclosed and potentially utilizable in the wild.

Advisories, including a GitHub entry on privilege escalation via client-side redirect authorization bypass and VulDB reports, indicate no patches or updated releases are available due to the product's rolling release model, which lacks version information for affected or fixed instances. The vendor was contacted early but provided no response.

Details

CWE(s): CWE-698 CWE-705

Affected Products

go2ismail

free-crm

≤ 2025-09-21

CVEs Like This One

CVE-2026-3265Same product: Go2Ismail Free-Crm

CVE-2026-3262Same vendor: Go2Ismail

CVE-2026-3263Same vendor: Go2Ismail

CVE-2025-6967Shared CWE-698

CVE-2026-2699Shared CWE-698

CVE-2025-8350Shared CWE-698

References

https://github.com/Ghufran2/CVE-Free-CRM-Advisories/blob/main/Free-CRM%20Privilege%20Escalation%20via%20Client-Side%20Redirect%20Authorization%20Bypass.md
Exploit, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347987
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347987
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.758337
Third Party Advisory, VDB Entry · cna@vuldb.com