Cyber Resilience

CVE-2026-3265

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3265 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Go2Ismail Free-Crm. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-3265 is an improper authorization vulnerability (CWE-266, CWE-285) in go2ismail Free-CRM up to commit b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. It affects an unknown part of the file /api/Security/ within the Security API component. The issue enables remote exploitation and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

An attacker with low privileges (PR:L) can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized access or modifications within the affected Security API endpoints. A public exploit is available and might be used in attacks.

Advisories on GitHub and VulDB detail the vulnerability, including a proof-of-concept in Free-CRM IDOR.md. The product follows a rolling release strategy, so no specific affected or patched versions are defined. The vendor was notified early but provided no response or mitigation guidance. Security practitioners should monitor for updates in the repository and implement compensating controls like stricter API authorization checks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The…

more

exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authorization (IDOR) in public-facing Security API allows low-priv remote attackers to perform unauthorized actions; directly maps to exploiting internet-facing apps for initial access and software exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3264Same product: Go2Ismail Free-Crm
CVE-2026-3263Same vendor: Go2Ismail
CVE-2026-2109Shared CWE-266, CWE-285
CVE-2026-2078Shared CWE-266, CWE-285
CVE-2026-2015Shared CWE-266, CWE-285
CVE-2026-3262Same vendor: Go2Ismail
CVE-2026-1550Shared CWE-266, CWE-285
CVE-2026-1141Shared CWE-266, CWE-285
CVE-2026-2141Shared CWE-266, CWE-285
CVE-2025-10389Shared CWE-266, CWE-285

Affected Assets

go2ismail
free-crm
≤ 2025-09-21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on Security API endpoints to block the unauthorized access and modifications enabled by this improper-authorization flaw.

prevent

Limits the actions available to low-privilege accounts, reducing the impact of exploitation via the publicly available IDOR-style attack on /api/Security/.

prevent

Ensures access-control decisions are enforced consistently for every request to the affected Security API component rather than being bypassed.

References