Cyber Resilience

CVE-2026-43510

High

Published: 07 May 2026

Published
07 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 7.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43510 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Githubusercontent (inferred from references). Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098.003 Additional Cloud Roles Persistence
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant.
Why these techniques?

Public-facing domain registrar web app with improper privilege assignment (CWE-266) directly enables exploitation via T1190 and unauthorized role assignment on domains via T1098.003.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33519Shared CWE-266
CVE-2026-24971Shared CWE-266
CVE-2024-51888Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2025-49388Shared CWE-266
CVE-2024-43333Shared CWE-266
CVE-2024-12470Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2025-67953Shared CWE-266

Affected Assets

Githubusercontent
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-266

Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.

addresses: CWE-266

Regular reviews catch incorrect privilege assignments to users, roles, or processes.

addresses: CWE-266

Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.

addresses: CWE-266

The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.

addresses: CWE-266

Ensures privileges are assigned only as necessary rather than incorrectly over-granted.

References