Search criteria
2 vulnerabilities found for manage.get.gov by CISA
CVE-2026-43510 (GCVE-0-2026-43510)
Vulnerability from nvd – Published: 2026-05-07 18:50 – Updated: 2026-05-10 14:54
VLAI?
Title
CISA manage.get.gov insecure portfolio administrative privileges
Summary
manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.
Severity ?
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/cisagov/manage.get.gov/pull/4900 | patch |
| https://github.com/cisagov/manage.get.gov/release… | release-notes |
| https://github.com/cisagov/manage.get.gov/securit… | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2026-43510 | vdb-entry |
| https://raw.githubusercontent.com/cisagov/CSAF/de… | government-resourcethird-party-advisory |
| https://github.com/cisagov/manage.get.gov/issues/4858 | issue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CISA | manage.get.gov |
Affected:
1.92.0 , < 1.176.0
(custom)
Unaffected: 1.176.0 |
Date Public ?
2026-04-24 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-10T14:54:16.440795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T14:54:27.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "manage.get.gov",
"vendor": "CISA",
"versions": [
{
"lessThan": "1.176.0",
"status": "affected",
"version": "1.92.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.176.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "bn-omran (@scofaild23)"
}
],
"datePublic": "2026-04-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T21:02:15.750389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:34:45.740Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"tags": [
"patch"
],
"url": "https://github.com/cisagov/manage.get.gov/pull/4900"
},
{
"name": "url",
"tags": [
"release-notes"
],
"url": "https://github.com/cisagov/manage.get.gov/releases/tag/v1.176.0"
},
{
"name": "url",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cisagov/manage.get.gov/security/advisories/GHSA-6wrg-x3j6-x464"
},
{
"name": "url",
"tags": [
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43510"
},
{
"name": "url",
"tags": [
"government-resource",
"third-party-advisory"
],
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-121-01.json"
},
{
"name": "url",
"tags": [
"issue-tracking"
],
"url": "https://github.com/cisagov/manage.get.gov/issues/4858"
}
],
"title": "CISA manage.get.gov insecure portfolio administrative privileges"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2026-43510",
"datePublished": "2026-05-07T18:50:56.944Z",
"dateReserved": "2026-05-01T15:27:56.173Z",
"dateUpdated": "2026-05-10T14:54:27.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43510 (GCVE-0-2026-43510)
Vulnerability from cvelistv5 – Published: 2026-05-07 18:50 – Updated: 2026-05-10 14:54
VLAI?
Title
CISA manage.get.gov insecure portfolio administrative privileges
Summary
manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.
Severity ?
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/cisagov/manage.get.gov/pull/4900 | patch |
| https://github.com/cisagov/manage.get.gov/release… | release-notes |
| https://github.com/cisagov/manage.get.gov/securit… | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2026-43510 | vdb-entry |
| https://raw.githubusercontent.com/cisagov/CSAF/de… | government-resourcethird-party-advisory |
| https://github.com/cisagov/manage.get.gov/issues/4858 | issue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CISA | manage.get.gov |
Affected:
1.92.0 , < 1.176.0
(custom)
Unaffected: 1.176.0 |
Date Public ?
2026-04-24 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-10T14:54:16.440795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T14:54:27.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "manage.get.gov",
"vendor": "CISA",
"versions": [
{
"lessThan": "1.176.0",
"status": "affected",
"version": "1.92.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.176.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "bn-omran (@scofaild23)"
}
],
"datePublic": "2026-04-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T21:02:15.750389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:34:45.740Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"tags": [
"patch"
],
"url": "https://github.com/cisagov/manage.get.gov/pull/4900"
},
{
"name": "url",
"tags": [
"release-notes"
],
"url": "https://github.com/cisagov/manage.get.gov/releases/tag/v1.176.0"
},
{
"name": "url",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cisagov/manage.get.gov/security/advisories/GHSA-6wrg-x3j6-x464"
},
{
"name": "url",
"tags": [
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43510"
},
{
"name": "url",
"tags": [
"government-resource",
"third-party-advisory"
],
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-121-01.json"
},
{
"name": "url",
"tags": [
"issue-tracking"
],
"url": "https://github.com/cisagov/manage.get.gov/issues/4858"
}
],
"title": "CISA manage.get.gov insecure portfolio administrative privileges"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2026-43510",
"datePublished": "2026-05-07T18:50:56.944Z",
"dateReserved": "2026-05-01T15:27:56.173Z",
"dateUpdated": "2026-05-10T14:54:27.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}