Monthly
GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request to smuggle attacker-controlled Docker images into privileged CI/CD pipelines. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted PR code in the preview-docs-build and preview-fastgpt-build workflows are consumed by privileged workflow_run jobs, letting a malicious image be pushed to GHCR and, for documentation previews, deployed to a Kubernetes cluster using the secrets.KUBE_CONFIG_CN credential. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is trivially reachable by any contributor.
Privilege escalation in the MailOptin WordPress plugin (by properfraction) affects all versions up to and including 1.2.77.3, stemming from incorrect privilege assignment (CWE-266). An attacker can obtain elevated privileges within the WordPress site, potentially reaching administrator-level control that yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported by Patchstack.
Privilege escalation in the Houzez Login Register WordPress plugin (versions up to and including 3.3.3) lets remote attackers obtain a higher-privileged role than intended due to incorrect privilege assignment (CWE-266). Reported by Patchstack with a CVSS 8.2 (high) score, the flaw carries a network vector with no privileges or user interaction required and a high integrity impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Privilege escalation in the MailerPress WordPress plugin (versions up to and including 2.0.2) lets an authenticated low-privilege user gain higher privileges through an incorrect privilege assignment flaw. The CVSS 3.1 vector (AV:N/AC:L/PR:L) indicates a network-reachable, low-complexity attack that any authenticated user can perform, yielding full confidentiality, integrity, and availability impact - effectively a takeover of the plugin's protected functionality or the WordPress site. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack.
Privilege escalation in the aBlocks WordPress plugin (Kodezen LLC) through version 2.9.1 allows an authenticated low-privileged user to elevate their permissions due to incorrect privilege assignment. With a CVSS of 8.8 (AV:N/AC:L/PR:L), a subscriber- or contributor-level account can gain elevated capabilities remotely over the network. No public exploit identified at time of analysis; the issue was disclosed by Patchstack.
System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. A vendor-released patch exists in version 1.21.5b; no public exploit has been identified at time of analysis.
Privilege escalation via configuration synchronization in Nozomi Networks Guardian and Central Management Console (CMC) lets an authenticated low-privilege user push administrative CLI commands to managed Arc sensors, because those sensors incorrectly inherit CLI permissions during sync. Successful abuse alters device configuration and can degrade or disable sensor availability, undermining OT/ICS monitoring integrity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; risk is elevated by the network-reachable, low-privilege (PR:L) attack path against a security-critical appliance.
Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.
Improper authorization in SourceCodester Online Examination & Learning Management System 1.0 allows unauthenticated remote attackers to manipulate enrollment records by supplying arbitrary student_id, schedule_id, or action values to /ajax_enroll.php. The vulnerability is an Insecure Direct Object Reference (IDOR) - the application performs no ownership or privilege check before processing enrollment actions on behalf of any student. A public proof-of-concept has been disclosed (referenced by VulDB submission 850695 and GitHub advisory OE-LMS-IDOR-ajax_enroll.md); no active exploitation via CISA KEV has been confirmed at time of analysis.
Privilege escalation in Weaviate vector database versions before 1.38.0 allows a user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to grant the built-in admin role (or any high-privilege custom role) to itself or others, obtaining full administrative control of the database. The flaw stems from the role-assignment handlers checking only that the caller may assign roles to a target, but never verifying the caller actually holds the permissions being conferred - unlike role creation, which enforces permission subset checks. Reported by VulnCheck with a vendor patch in v1.38.0; no public exploit identified at time of analysis.
GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request to smuggle attacker-controlled Docker images into privileged CI/CD pipelines. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted PR code in the preview-docs-build and preview-fastgpt-build workflows are consumed by privileged workflow_run jobs, letting a malicious image be pushed to GHCR and, for documentation previews, deployed to a Kubernetes cluster using the secrets.KUBE_CONFIG_CN credential. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is trivially reachable by any contributor.
Privilege escalation in the MailOptin WordPress plugin (by properfraction) affects all versions up to and including 1.2.77.3, stemming from incorrect privilege assignment (CWE-266). An attacker can obtain elevated privileges within the WordPress site, potentially reaching administrator-level control that yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported by Patchstack.
Privilege escalation in the Houzez Login Register WordPress plugin (versions up to and including 3.3.3) lets remote attackers obtain a higher-privileged role than intended due to incorrect privilege assignment (CWE-266). Reported by Patchstack with a CVSS 8.2 (high) score, the flaw carries a network vector with no privileges or user interaction required and a high integrity impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Privilege escalation in the MailerPress WordPress plugin (versions up to and including 2.0.2) lets an authenticated low-privilege user gain higher privileges through an incorrect privilege assignment flaw. The CVSS 3.1 vector (AV:N/AC:L/PR:L) indicates a network-reachable, low-complexity attack that any authenticated user can perform, yielding full confidentiality, integrity, and availability impact - effectively a takeover of the plugin's protected functionality or the WordPress site. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack.
Privilege escalation in the aBlocks WordPress plugin (Kodezen LLC) through version 2.9.1 allows an authenticated low-privileged user to elevate their permissions due to incorrect privilege assignment. With a CVSS of 8.8 (AV:N/AC:L/PR:L), a subscriber- or contributor-level account can gain elevated capabilities remotely over the network. No public exploit identified at time of analysis; the issue was disclosed by Patchstack.
System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. A vendor-released patch exists in version 1.21.5b; no public exploit has been identified at time of analysis.
Privilege escalation via configuration synchronization in Nozomi Networks Guardian and Central Management Console (CMC) lets an authenticated low-privilege user push administrative CLI commands to managed Arc sensors, because those sensors incorrectly inherit CLI permissions during sync. Successful abuse alters device configuration and can degrade or disable sensor availability, undermining OT/ICS monitoring integrity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; risk is elevated by the network-reachable, low-privilege (PR:L) attack path against a security-critical appliance.
Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.
Improper authorization in SourceCodester Online Examination & Learning Management System 1.0 allows unauthenticated remote attackers to manipulate enrollment records by supplying arbitrary student_id, schedule_id, or action values to /ajax_enroll.php. The vulnerability is an Insecure Direct Object Reference (IDOR) - the application performs no ownership or privilege check before processing enrollment actions on behalf of any student. A public proof-of-concept has been disclosed (referenced by VulDB submission 850695 and GitHub advisory OE-LMS-IDOR-ajax_enroll.md); no active exploitation via CISA KEV has been confirmed at time of analysis.
Privilege escalation in Weaviate vector database versions before 1.38.0 allows a user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to grant the built-in admin role (or any high-privilege custom role) to itself or others, obtaining full administrative control of the database. The flaw stems from the role-assignment handlers checking only that the caller may assign roles to a target, but never verifying the caller actually holds the permissions being conferred - unlike role creation, which enforces permission subset checks. Reported by VulnCheck with a vendor patch in v1.38.0; no public exploit identified at time of analysis.