Skip to main content

CWE-276

Incorrect Default Permissions

1081 CVEs Avg CVSS 7.0 MITRE
92
CRITICAL
555
HIGH
390
MEDIUM
42
LOW
188
POC
2
KEV

Monthly

CVE-2026-61828 HIGH PATCH This Week

Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.

Privilege Escalation Nixpkgs
NVD GitHub
CVSS 4.0
8.5
CVE-2026-53657 HIGH PATCH This Week

Local privilege escalation in Lima (lima-vm) before 2.1.3 lets any unprivileged user inside a guest VM reach root when the instance runs the QEMU driver with the guest agent enabled. Because the world-reachable /run/lima-guestagent.sock exposes address tunneling - including Unix sockets for privileged daemons such as D-Bus - an in-guest attacker can proxy to root-owned services and execute arbitrary commands as root. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Apple Lima
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-52766 PHP CRITICAL POC PATCH GHSA Act Now

{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.

Privilege Escalation CSRF PHP
NVD GitHub
CVSS 3.1
9.1
CVE-2025-27464 CRITICAL Act Now

Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.

Privilege Escalation Microsoft Windows Pv Drivers
NVD
CVSS 4.0
9.4
EPSS
0.2%
CVE-2025-27463 CRITICAL Act Now

Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is exposed to userspace with no security descriptor, leaving it fully accessible to unprivileged users. Any low-privileged local user on an affected Windows guest can interact with this facility to gain elevated control over the system. This is one of three sibling issues (alongside CVE-2025-27462 XenCons and CVE-2025-27464 XenBus) disclosed in Xen Security Advisory XSA-468; no public exploit has been identified at time of analysis.

Privilege Escalation Microsoft Windows Pv Drivers Suse
NVD
CVSS 4.0
9.4
EPSS
0.2%
CVE-2025-27462 CRITICAL Act Now

Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).

Privilege Escalation Microsoft Windows Pv Drivers Suse
NVD
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-57895 HIGH This Week

Local privilege escalation to SYSTEM in Fuji Electric Pupsman before version 3.9.0 allows a low-privileged local user to drop a malicious executable into the weakly-permissioned installation directory, which is then run with SYSTEM privileges for full arbitrary code execution. Reported through JPCERT/CC (JVN JVN62347140); no public exploit identified and no active exploitation is confirmed at time of analysis. The CVSS 4.0 base score is 8.5 (High), reflecting complete confidentiality, integrity, and availability impact despite the local attack vector.

Privilege Escalation RCE Pupsman
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-57919 HIGH This Week

Local privilege escalation in Matrix42 Empirum (versions before 25.5 and 26.x before 26.2) lets any authenticated low-privileged user gain SYSTEM execution by abusing the PBackupVSS.exe service's named pipe. The pipe \\.\pipe\PBackupVSS is created with an overly permissive DACL granting GENERIC_READ/GENERIC_WRITE to all authenticated users, so an attacker can send crafted IPC messages that drive the SYSTEM-level service into running an attacker-supplied shadow.exe from a controlled working directory. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation is mechanically straightforward once on the host.

Privilege Escalation N A
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-48790 Go MEDIUM POC PATCH GHSA This Month

Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.

Privilege Escalation Apple Docker
NVD GitHub
CVSS 3.1
5.5
CVE-2026-57924 MEDIUM PATCH This Month

Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.

Privilege Escalation Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVSS 8.5
HIGH PATCH This Week

Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.

Privilege Escalation Nixpkgs
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Local privilege escalation in Lima (lima-vm) before 2.1.3 lets any unprivileged user inside a guest VM reach root when the instance runs the QEMU driver with the guest agent enabled. Because the world-reachable /run/lima-guestagent.sock exposes address tunneling - including Unix sockets for privileged daemons such as D-Bus - an in-guest attacker can proxy to root-owned services and execute arbitrary commands as root. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Apple Lima
NVD GitHub
CVSS 9.1
CRITICAL POC PATCH Act Now

{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.

Privilege Escalation CSRF PHP
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.

Privilege Escalation Microsoft Windows Pv Drivers
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is exposed to userspace with no security descriptor, leaving it fully accessible to unprivileged users. Any low-privileged local user on an affected Windows guest can interact with this facility to gain elevated control over the system. This is one of three sibling issues (alongside CVE-2025-27462 XenCons and CVE-2025-27464 XenBus) disclosed in Xen Security Advisory XSA-468; no public exploit has been identified at time of analysis.

Privilege Escalation Microsoft Windows Pv Drivers +1
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).

Privilege Escalation Microsoft Windows Pv Drivers +1
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation to SYSTEM in Fuji Electric Pupsman before version 3.9.0 allows a low-privileged local user to drop a malicious executable into the weakly-permissioned installation directory, which is then run with SYSTEM privileges for full arbitrary code execution. Reported through JPCERT/CC (JVN JVN62347140); no public exploit identified and no active exploitation is confirmed at time of analysis. The CVSS 4.0 base score is 8.5 (High), reflecting complete confidentiality, integrity, and availability impact despite the local attack vector.

Privilege Escalation RCE Pupsman
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Matrix42 Empirum (versions before 25.5 and 26.x before 26.2) lets any authenticated low-privileged user gain SYSTEM execution by abusing the PBackupVSS.exe service's named pipe. The pipe \\.\pipe\PBackupVSS is created with an overly permissive DACL granting GENERIC_READ/GENERIC_WRITE to all authenticated users, so an attacker can send crafted IPC messages that drive the SYSTEM-level service into running an attacker-supplied shadow.exe from a controlled working directory. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation is mechanically straightforward once on the host.

Privilege Escalation N A
NVD
CVSS 5.5
MEDIUM POC PATCH This Month

Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.

Privilege Escalation Apple Docker
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.

Privilege Escalation Youtrack
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy