CVE-2026-43510

HIGH 7.6

CISA manage.get.gov insecure portfolio administrative privileges

CVSS Score

7.6

EPSS Score

0.0%

EPSS Percentile

0th

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.

CWE	CWE-266
Vendor	cisa
Product	manage.get.gov
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for cisa manage.get.gov

Be the first to know when new high vulnerabilities affecting cisa manage.get.gov are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

High

Affected Versions

CISA / manage.get.gov

0 < 1.176.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/cisagov/manage.get.gov/pull/4900 github.com: https://github.com/cisagov/manage.get.gov/releases/tag/v1.176.0 github.com: https://github.com/cisagov/manage.get.gov/security/advisories/GHSA-6wrg-x3j6-x464 cve.org: https://www.cve.org/CVERecord?id=CVE-2026-43510 raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-121-01.json github.com: https://github.com/cisagov/manage.get.gov/issues/4858

Credits

bn-omran (@scofaild23)