Monthly
Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.
Privilege escalation in Chamilo LMS versions prior to 1.11.38 allows any authenticated user with a REST API key to elevate their account status from student (status=5) to teacher/course manager (status=1) by manipulating the status field through the update_user_from_username REST API endpoint. This enables unauthorized course creation and management capabilities. Authentication is required (PR:L), but once exploited, attackers gain high-integrity administrative functions within the learning management system. No public exploit identified at time of analysis.
Privilege escalation in Vikunja API (v2.2.2 and prior) allows authenticated users with Write permission on a shared project to escalate to Admin by reparenting the project under their own hierarchy. The vulnerability exploits insufficient authorization checks in project reparenting (CanWrite instead of IsAdmin), causing the recursive permission CTE to grant Admin rights. Attackers can then delete projects, remove user access, and manage sharing settings. Publicly available exploit code exists.
Aiven Operator versions 0.31.0 through 0.36.x allow developers with ClickhouseUser CRD creation permissions in their own namespace to exfiltrate secrets from arbitrary namespaces by exploiting a confused deputy vulnerability in the operator's ClusterRole. An attacker can craft a malicious ClickhouseUser resource that causes the operator to read privileged credentials (database passwords, API keys, service tokens) from production namespaces and write them into the attacker's namespace with a single kubectl apply command. The vulnerability is fixed in version 0.37.0.
Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. This affects File Browser instances using proxy authentication for automatic user provisioning. No public exploit identified at time of analysis, though EPSS probability warrants attention given the network-accessible attack surface and high confidentiality/integrity impact.
Improper privilege management in runZero Platform allows organization administrators to escalate privileges to superuser status. Authenticated admin users with high privileges (PR:H) can exploit this network-accessible flaw (AV:N) with user interaction (UI:R) to gain unauthorized superuser access, potentially compromising confidentiality and integrity across organizational boundaries (scope changed to C). Fixed in version 4.0.260202.0. EPSS risk data not available; no public exploit identified at time of analysis.
Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.
Local privilege escalation in Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 allows authenticated users to assume privileged group membership when their Azure Entra ID-mapped CN or short name collides with system group names (sudo, wheel, docker, adm, etc.). The NSS module resolves the collision to the attacker's fake primary group, potentially granting group-level privileges if the system uses NSS for authorization decisions. CVSS 6.3 (medium); no public exploit identified at time of analysis.
File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-pre allow authenticated users to escalate their subscription tier by purchasing a lower-cost plan while obtaining benefits reserved for higher-tier subscriptions. The vulnerability has a CVSS 6.3 score reflecting the integrity impact, requires high attack complexity and partial timing conditions, but affects confidentiality minimally. Vendor-released patches address the flaw in versions 2026.1.3, 2026.2.2, and 2026.3.0, and the exploit likely requires knowledge of the subscription grant mechanism.
Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.
Privilege escalation in Chamilo LMS versions prior to 1.11.38 allows any authenticated user with a REST API key to elevate their account status from student (status=5) to teacher/course manager (status=1) by manipulating the status field through the update_user_from_username REST API endpoint. This enables unauthorized course creation and management capabilities. Authentication is required (PR:L), but once exploited, attackers gain high-integrity administrative functions within the learning management system. No public exploit identified at time of analysis.
Privilege escalation in Vikunja API (v2.2.2 and prior) allows authenticated users with Write permission on a shared project to escalate to Admin by reparenting the project under their own hierarchy. The vulnerability exploits insufficient authorization checks in project reparenting (CanWrite instead of IsAdmin), causing the recursive permission CTE to grant Admin rights. Attackers can then delete projects, remove user access, and manage sharing settings. Publicly available exploit code exists.
Aiven Operator versions 0.31.0 through 0.36.x allow developers with ClickhouseUser CRD creation permissions in their own namespace to exfiltrate secrets from arbitrary namespaces by exploiting a confused deputy vulnerability in the operator's ClusterRole. An attacker can craft a malicious ClickhouseUser resource that causes the operator to read privileged credentials (database passwords, API keys, service tokens) from production namespaces and write them into the attacker's namespace with a single kubectl apply command. The vulnerability is fixed in version 0.37.0.
Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. This affects File Browser instances using proxy authentication for automatic user provisioning. No public exploit identified at time of analysis, though EPSS probability warrants attention given the network-accessible attack surface and high confidentiality/integrity impact.
Improper privilege management in runZero Platform allows organization administrators to escalate privileges to superuser status. Authenticated admin users with high privileges (PR:H) can exploit this network-accessible flaw (AV:N) with user interaction (UI:R) to gain unauthorized superuser access, potentially compromising confidentiality and integrity across organizational boundaries (scope changed to C). Fixed in version 4.0.260202.0. EPSS risk data not available; no public exploit identified at time of analysis.
Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.
Local privilege escalation in Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 allows authenticated users to assume privileged group membership when their Azure Entra ID-mapped CN or short name collides with system group names (sudo, wheel, docker, adm, etc.). The NSS module resolves the collision to the attacker's fake primary group, potentially granting group-level privileges if the system uses NSS for authorization decisions. CVSS 6.3 (medium); no public exploit identified at time of analysis.
File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-pre allow authenticated users to escalate their subscription tier by purchasing a lower-cost plan while obtaining benefits reserved for higher-tier subscriptions. The vulnerability has a CVSS 6.3 score reflecting the integrity impact, requires high attack complexity and partial timing conditions, but affects confidentiality minimally. Vendor-released patches address the flaw in versions 2026.1.3, 2026.2.2, and 2026.3.0, and the exploit likely requires knowledge of the subscription grant mechanism.