Privilege escalation in Cisa Manage.get.gov

CVE-2026-43510

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.

EPSS: 0.000 (6.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H.

Affected products

Weakness classification (CWE)

References

  • url (patch)
  • url (release-notes)
  • url (vendor-advisory)
  • url (vdb-entry)
  • url (government-resource, third-party-advisory)
  • url (issue-tracking)

Frequently asked questions

What is CVE-2026-43510?
CVE-2026-43510 is a high-severity vulnerability in Cisa Manage.get.gov, classified under Incorrect Privilege Assignment. CVSS score: 7.6/10. Published 2026-05-07.
How severe is CVE-2026-43510?
High severity. CVSS v3 base score is 7.6 out of 10.