Description
A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper authorization in Free‑CRM Security API enables remote attackers to execute privileged operations
Action: Patch ASAP
AI Analysis

Impact

Based on the description, it is inferred that a flaw in the Security API of go2ismail Free‑CRM allows an attacker to bypass authorization controls. This weakness permits remote exploitation of privileged endpoints, potentially exposing sensitive data or functionality. It exemplifies CWE‑266 (Missing Authorization) and CWE‑285 (Improper Authorization), and may compromise confidentiality, integrity, or availability for unauthorised users.

Affected Systems

Based on the description, it is inferred that the vulnerability impacts go2ismail Free‑CRM, specifically an unidentified component of the /api/Security path. Because version information is unavailable due to the product’s rolling‑release strategy, any instance running an unpatched build is potentially exposed.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS score is below 1%, suggesting that exploitation is unlikely but still possible given the publicly available exploit code. Because the vulnerability is not listed in the KEV catalog, known exploitation appears limited. Based on the description, it is inferred that remote attackers could leverage unauthenticated or insufficiently privileged access to manipulate Security API endpoints, potentially escalating privileges or extracting sensitive information. Defensive measures should be applied promptly to mitigate potential exploitation.

Generated by OpenCVE AI on April 18, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the API gateway or firewall to block all unauthenticated requests to the /api/Security endpoints, allowing traffic only from trusted IP ranges or authenticated users.
  • Audit and tighten role‑based access controls within Free‑CRM, ensuring that only administrators or explicitly privileged accounts can invoke Security API functions.
  • Apply any official Free‑CRM update released by go2ismail immediately; if no fix is available, consider disabling or removing the vulnerable endpoint from public exposure as a temporary workaround.
  • Set up monitoring and alerts for anomalous access to the Security API to detect potential abuse early.

Generated by OpenCVE AI on April 18, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:go2ismail:free-crm:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Go2ismail
Go2ismail free-crm
Vendors & Products Go2ismail
Go2ismail free-crm

Thu, 26 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Title go2ismail Free-CRM Security API improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Go2ismail Free-crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-27T18:49:54.918Z

Reserved: 2026-02-26T14:43:40.989Z

Link: CVE-2026-3265

cve-icon Vulnrichment

Updated: 2026-02-27T18:49:49.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:38.120

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses