Local privilege escalation in Microsoft Defender for Endpoint for macOS lets an authenticated local attacker exploit a time-of-check-to-time-of-use race to gain elevated privileges. The flaw (CWE-367) requires winning a timing window between when Defender validates a resource and when it acts on it, yielding high confidentiality, integrity, and availability impact. Microsoft has published a fix, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows Runtime (WinRT) affects current Microsoft platforms including Windows 11 24H2, 25H2, 26H1, and Windows Server 2025, where a race condition (CWE-362) in the handling of a shared resource lets an already-authenticated local user win a timing window to gain higher privileges. Microsoft has released a patch, and there is no public exploit identified at time of analysis. With a CVSS 7.0 (AV:L/AC:H/PR:L) the flaw requires local access and precise timing, making it a plausible second-stage escalation rather than an initial entry point.
Local privilege escalation in the Windows Installer (msiexec) service across Windows 10, Windows 11, and Windows Server 2012 through 2025 allows an already-authenticated local user to gain higher privileges by triggering a use-after-free memory-corruption condition. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has published a patch. The high CVSS complexity (AC:H) indicates exploitation requires winning a race or meeting specific timing/heap conditions rather than being trivially reliable.
Local privilege escalation in the Microsoft Windows Kernel arises from a use-after-free (CWE-416) memory-corruption flaw that lets an attacker running code on the machine gain higher privileges, potentially SYSTEM. It affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, Windows Server 2022/2025). No public exploit identified at time of analysis, but the local attack surface and full CIA impact make it a standard Patch-Tuesday-class kernel EoP worth prompt patching.
Local privilege escalation in the Windows Backup Engine affects Windows 10 (21H2, 22H2) and Windows 11 (24H2, 25H2, 26H1), where a use-after-free (CWE-416) memory-corruption flaw lets an already-authorized local user with low privileges elevate to higher rights. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft rates it 7.0 (High), reflecting meaningful impact tempered by high attack complexity. Successful exploitation grants full confidentiality, integrity, and availability impact on the affected host.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker win a use-after-free race (CWE-416) to gain SYSTEM-level control, affecting a broad range of client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch and there is no public exploit identified at time of analysis. The moderate 7.0 score reflects high attack complexity (a timing-dependent race) offset by full confidentiality, integrity and availability impact once triggered.
Local privilege escalation in the Windows Runtime component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an already-authenticated local attacker to win a race condition and gain higher privileges. The flaw was reported by Microsoft, which has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS complexity (AC:H) reflects that the attacker must reliably win a timing window, tempering real-world exploitability despite the full compromise of confidentiality, integrity, and availability once triggered.
Local privilege escalation in Microsoft Windows via the LUAFV (LUA File Virtualization, luafv.sys) driver allows an already-authenticated low-privileged user to win a timing race and elevate to SYSTEM/administrator on affected Windows client and server builds. The flaw stems from improper synchronization around a shared resource (CWE-362) and carries a CVSS 7.0 (AV:L/AC:H/PR:L) reflecting a local, high-complexity attack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Windows Runtime (WinRT) affects a broad range of supported Windows client and server releases, from Windows 10 1809 and Windows Server 2019 through Windows 11 26H1 and Windows Server 2025. An authorized local attacker who can execute low-privilege code can trigger a use-after-free (CWE-416) memory-corruption condition to elevate privileges, yielding full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in Microsoft Windows Runtime (WinRT) affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. An authorized local attacker who can run low-privileged code can trigger a use-after-free memory-corruption condition to elevate to higher privileges, with high confidentiality, integrity, and availability impact implying a path to SYSTEM. No public exploit identified at time of analysis, and the flaw is not on CISA KEV; a vendor patch is available.
Local privilege escalation in the Windows Media component affects a broad range of Microsoft Windows client and server editions (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). A low-privileged authenticated attacker can abuse a use-after-free (CWE-416) memory corruption flaw to elevate to higher privileges, achieving full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV, but the high attack complexity (a likely race condition) is the main barrier to reliable exploitation.
Local privilege elevation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated local attacker to win a race condition and gain higher privileges on the host. The flaw is a concurrency/synchronization defect (CWE-362) reported by Microsoft itself; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is rated high-complexity because the attacker must reliably win a timing window, which tempers the otherwise high confidentiality, integrity, and availability impact.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local attacker to win a race condition and gain higher privileges. The flaw stems from improper synchronization of a shared resource (CWE-362); successful exploitation yields high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Privilege escalation in the Windows Runtime (WinRT) allows a network-based, unauthenticated attacker to win a race condition and gain elevated privileges on affected Windows 10, Windows 11 (through 26H1), and Windows Server 2019-2025 systems. Microsoft self-reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS vector (AV:N/AC:H) reflects a real but timing-dependent attack that is non-trivial to reproduce reliably.
Network-based privilege elevation in the Windows Runtime (WinRT) affects a broad range of Microsoft platforms including Windows 10 (1809 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. An unauthorized attacker who wins a timing race in the improperly synchronized shared-resource handling can gain elevated privileges, with the vulnerability carrying an implicit authentication-bypass characteristic per vendor tags. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) reflects the need to reliably win a race window.
Local privilege escalation in the Windows Kernel (CVE-2026-50390) lets an already-authenticated attacker abuse a type-confusion condition to run code with elevated (SYSTEM-level) privileges on affected Windows client and server builds ranging from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. Microsoft has shipped a fix and there is no public exploit identified at time of analysis, but as a kernel EoP it is a classic second-stage building block for turning a foothold into full host compromise. CVSS is 7.0 (High), reflecting high attack complexity but full confidentiality, integrity, and availability impact once triggered.
Local privilege escalation in Windows Kernel-Mode Drivers on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an authenticated local attacker corrupt kernel memory via a use-after-free and gain SYSTEM-level control. Rated CVSS 7.0 (Important) and reported by Microsoft itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (AC:H) reflects the race-condition nature typical of kernel UAF bugs, which tempers real-world exploitability despite full C/I/A impact.
Local privilege escalation in Microsoft Windows Kernel-Mode Drivers lets an already-authenticated, low-privileged user corrupt kernel memory to gain SYSTEM-level control. Affected builds include Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, including Server Core. Microsoft has shipped a patch; there is no public exploit identified at time of analysis, and it is not on the CISA KEV list.
Local privilege escalation in Windows Secure Kernel Mode (VBS/Isolated User Mode trust boundary) affects Windows 11 24H2/25H2/26H1 and Windows Server 2025, where a use-after-free (CWE-416) lets an already-authenticated local attacker gain elevated privileges. Microsoft rates it 7.0 (High) with a local, high-complexity vector requiring low privileges and no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation would require winning a memory-corruption race after already having a foothold.
Local privilege escalation in the Windows Redirected Drive Buffering Subsystem (RDBSS) lets an authenticated low-privileged attacker read memory beyond an allocated buffer to elevate to higher privileges. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, Windows Server 2012 through Server 2025) and carries a CVSS 7.0 (High) rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows arises from a use-after-free flaw (CWE-416) in the Windows Storage component, affecting Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025. An authorized attacker who already has low-level access to a machine can trigger the freed-memory reuse to elevate to higher privileges (CVSS 7.0, high attack complexity). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows USB Print Driver affecting Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an already-authenticated, low-privileged user win a race condition (CWE-362) in the driver to gain higher privileges. Microsoft has released a patch and reported the flaw itself; there is no public exploit identified at time of analysis. The high attack complexity (AC:H) reflects the timing-dependent nature of exploiting the shared-resource synchronization defect.
Local privilege escalation in the Microsoft Windows Quality Windows Audio/Video Experience (QWAVE) service lets an already-authenticated, low-privileged user elevate to higher privileges by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw spans a broad range of builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.0 (AV:L/AC:H/PR:L).
Local privilege escalation in Windows Hyper-V (CWE-416 use-after-free) allows an authenticated attacker already running low-privileged code on an affected host to elevate to higher privileges, with full confidentiality, integrity, and availability impact. Reported by Microsoft and affecting a broad range of Windows 10, Windows 11, and Windows Server builds including Server 2019/2022/2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the siman.exe (Siman) simulation-language component, which mishandles user-supplied data when parsing a model file. An attacker who convinces a user to open a crafted Arena file can run code in the context of that user's process. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so risk is currently theoretical rather than actively exploited.
Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the linker.exe (Siman) component, which fails to properly validate user-supplied data parsed from simulation model files. A local attacker who convinces a user to open a specially crafted Arena file can corrupt memory and run code in the context of the current user. No public exploit has been identified at time of analysis, the issue is not in CISA KEV, and no EPSS score was provided, so real-world exploitation appears theoretical rather than observed.
Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the expmt.exe (Siman) component, which fails to validate user-supplied data when parsing model/experiment files. A local attacker who convinces an engineer to open a malicious Arena file can run code in the context of the current user. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; it was self-reported by Rockwell's PSIRT (advisory SD1784).
Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the model.exe (Siman) component when a victim opens a maliciously crafted simulation model file. The flaw lets an attacker run code in the context of the current user by tricking an operator or engineer into opening a booby-trapped file, making it a client-side, file-delivery RCE rather than a remotely reachable network service bug. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided, so real-world exploitation appears limited to social-engineering-driven targeting.
NVIDIA TensorRT for contains a vulnerability where a user might cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution.
HTTP/1.1 trailer leakage in Eclipse Jetty allows a remote unauthenticated attacker to read trailer headers from a previous request when sharing a persistent connection with another party. Trailers sent in an initial request are incorrectly retained in the server's connection state, causing them to bleed into all subsequent requests on the same keep-alive connection - either appended wholesale (if the later request has no trailers) or merged with the later request's own trailers. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. No public exploit or active exploitation (KEV) has been identified at time of analysis, but the unauthenticated network vector and low complexity make opportunistic exploitation straightforward following disclosure.
Improper TLS certificate validation in Fortinet FortiClientEMS (Endpoint Management Server) exposes sensitive information to network-positioned attackers across FortiClientEMS 7.2 (all listed builds up to 7.2.14), 7.4.0–7.4.1, and 7.4.3–7.4.5. Because the client fails to properly verify server certificates (CWE-295), an attacker able to intercept EMS communications can decrypt or observe protected traffic to disclose information. There is no public exploit identified at time of analysis and CISA SSVC scores exploitation as 'none', but Fortinet rates the flaw CVSS 9.8, so patching should be prioritized despite the lack of observed exploitation.
The reschedule endpoint in Easy!Appointments 1.5.2 and earlier exposes the complete customer database record to any party holding the 12-character appointment hash, with no authentication check and no field whitelisting on the ea_users row. These hashes are deliberately distributed to customers in reschedule emails, embedded in confirmation page URLs, and visible in operator calendar links, which means the effective attacker pool is anyone who has ever received or forwarded a booking email. The fix is available in version 1.6.0 per the GitHub security advisory; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Relative path traversal in DNS Server allows an authorized attacker to execute code over an adjacent network.
Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to elevate privileges with a physical attack.
ColdFusion is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.
CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
NVIDIA TensorRT-LLM for Linux contains a vulnerability in the multimodal media fetching functions, where a network-accessible attacker could cause server-side request forgery. A successful exploit of this vulnerability might lead to denial of service and information disclosure.
Security feature bypass in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks plugin allows a high-privileged, authenticated attacker to defeat an authorization check (CWE-863) and gain unauthorized read access to data that should be restricted. The flaw is network-reachable with low complexity, requires no user interaction, and changes scope, so the exposure can reach beyond the initially vulnerable component. There is no public exploit identified at time of analysis and no CISA KEV listing, making exploitation currently theoretical rather than observed.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Privilege escalation via heap-based buffer overflow in the Windows NTFS filesystem driver affects a broad range of Windows 10, Windows 11, and Windows Server versions, requiring only physical access to the target device - no OS credentials needed. An attacker with hands-on access to the hardware can trigger a heap overflow in NTFS processing to gain elevated privileges, potentially achieving full system compromise (High C/I/A). No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the combination of zero authentication requirements and critical-level impact makes it a realistic threat for physically accessible endpoints. A vendor-supplied patch is available via the Microsoft Security Response Center.
Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code with a physical attack.
Heap-based buffer overflow in Windows Kernel allows an unauthorized attacker to elevate privileges with a physical attack.
Out-of-bounds read in Citrix Secure Access Client for Windows (all versions before 26.6.1.20) enables a local low-privileged attacker to read memory beyond an allocated buffer boundary, resulting in high confidentiality impact with no integrity or availability consequence. The CVSS 4.0 score of 6.8 reflects the local attack vector and low-privilege requirement, meaning an attacker must already hold a foothold on the endpoint. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.
Information disclosure via uninitialized resource use in Windows Remote Desktop Protocol (RDP) exposes sensitive memory contents to authenticated remote attackers across a wide range of Microsoft Windows desktop and server editions. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is exploitable over the network by any low-privileged authenticated user with no complexity or interaction requirements, yielding high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low barrier to exploitation and the ubiquitous deployment of Windows RDP make this a meaningful patching priority.
Off-by-one memory boundary error in the Windows Remote Desktop Protocol exposes sensitive memory contents over the network to unauthenticated remote attackers on all major Windows client and server releases. The CWE-193 root cause allows the RDP parser to read one element beyond an allocated buffer boundary, yielding a high-confidentiality-impact information disclosure (C:H) with no integrity or availability consequence. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog; however, the breadth of affected Windows versions - spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025 - gives this a wide potential attack surface warranting prompt patching.
Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack.
Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.