Monthly
Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.
Local privilege escalation in Lima (lima-vm) before 2.1.3 lets any unprivileged user inside a guest VM reach root when the instance runs the QEMU driver with the guest agent enabled. Because the world-reachable /run/lima-guestagent.sock exposes address tunneling - including Unix sockets for privileged daemons such as D-Bus - an in-guest attacker can proxy to root-owned services and execute arbitrary commands as root. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is exposed to userspace with no security descriptor, leaving it fully accessible to unprivileged users. Any low-privileged local user on an affected Windows guest can interact with this facility to gain elevated control over the system. This is one of three sibling issues (alongside CVE-2025-27462 XenCons and CVE-2025-27464 XenBus) disclosed in Xen Security Advisory XSA-468; no public exploit has been identified at time of analysis.
Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).
Local privilege escalation to SYSTEM in Fuji Electric Pupsman before version 3.9.0 allows a low-privileged local user to drop a malicious executable into the weakly-permissioned installation directory, which is then run with SYSTEM privileges for full arbitrary code execution. Reported through JPCERT/CC (JVN JVN62347140); no public exploit identified and no active exploitation is confirmed at time of analysis. The CVSS 4.0 base score is 8.5 (High), reflecting complete confidentiality, integrity, and availability impact despite the local attack vector.
Local privilege escalation in Matrix42 Empirum (versions before 25.5 and 26.x before 26.2) lets any authenticated low-privileged user gain SYSTEM execution by abusing the PBackupVSS.exe service's named pipe. The pipe \\.\pipe\PBackupVSS is created with an overly permissive DACL granting GENERIC_READ/GENERIC_WRITE to all authenticated users, so an attacker can send crafted IPC messages that drive the SYSTEM-level service into running an attacker-supplied shadow.exe from a controlled working directory. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation is mechanically straightforward once on the host.
Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.
Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.
Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.
Local privilege escalation in Lima (lima-vm) before 2.1.3 lets any unprivileged user inside a guest VM reach root when the instance runs the QEMU driver with the guest agent enabled. Because the world-reachable /run/lima-guestagent.sock exposes address tunneling - including Unix sockets for privileged daemons such as D-Bus - an in-guest attacker can proxy to root-owned services and execute arbitrary commands as root. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is exposed to userspace with no security descriptor, leaving it fully accessible to unprivileged users. Any low-privileged local user on an affected Windows guest can interact with this facility to gain elevated control over the system. This is one of three sibling issues (alongside CVE-2025-27462 XenCons and CVE-2025-27464 XenBus) disclosed in Xen Security Advisory XSA-468; no public exploit has been identified at time of analysis.
Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).
Local privilege escalation to SYSTEM in Fuji Electric Pupsman before version 3.9.0 allows a low-privileged local user to drop a malicious executable into the weakly-permissioned installation directory, which is then run with SYSTEM privileges for full arbitrary code execution. Reported through JPCERT/CC (JVN JVN62347140); no public exploit identified and no active exploitation is confirmed at time of analysis. The CVSS 4.0 base score is 8.5 (High), reflecting complete confidentiality, integrity, and availability impact despite the local attack vector.
Local privilege escalation in Matrix42 Empirum (versions before 25.5 and 26.x before 26.2) lets any authenticated low-privileged user gain SYSTEM execution by abusing the PBackupVSS.exe service's named pipe. The pipe \\.\pipe\PBackupVSS is created with an overly permissive DACL granting GENERIC_READ/GENERIC_WRITE to all authenticated users, so an attacker can send crafted IPC messages that drive the SYSTEM-level service into running an attacker-supplied shadow.exe from a controlled working directory. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation is mechanically straightforward once on the host.
Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.
Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.