Privilege Escalation
Monthly
Stale render context retention in ViewComponent::Base allows lower-privileged users to receive privileged UI from a prior admin render when component instances are reused across requests, tenants, or threads. Affected versions 4.0.0 through 4.11.x of the rubygems/view_component package fail to reset request-scoped instance variables between render_in calls, enabling cross-user authorization bypass, stale Host header injection into generated URLs, slot child context leakage, and cross-thread context corruption. A detailed publicly available proof-of-concept confirms all four impact vectors; no KEV listing is present, but the exploitability in realistic shared-registry patterns is directly demonstrated.
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-only Meteor methods that lack the admin authorization checks applied to their non-OIDC counterparts. By calling setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin over DDP, a low-privileged user can create or modify organizations and teams, and - when PROPAGATE_OIDC_DATA is enabled - groupRoutineOnLogin can grant that user global admin. No public exploit identified at time of analysis; the vendor fix (v9.32) is confirmed and the flaw carries a CVSS 4.0 base score of 7.6.
Improper privilege management in TDengine Cloud DB prior to 3.4.1.15 allows an authenticated Data Reader admin_user to execute `create udf` (user-defined function) commands that should be restricted to higher-privilege roles. While the same role is correctly denied `show dnodes` and `create user`, the UDF creation permission was left ungated, creating a privilege escalation path within the database engine. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.
Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.
{providerId} to drive organization provisioning, effectively escalating toward organization takeover. No public exploit identified at time of analysis; the flaw is fixed in 1.6.11 which adds the missing role check.
Privilege escalation to NT AUTHORITY\SYSTEM is achievable on Windows systems hosting the Pegatron Tdelo64.sys kernel-mode driver, which exposes the \\.\TdeIo device interface without enforcing caller privilege checks or validating user-supplied kernel memory addresses in its IOCTL dispatcher. Any local user can open the device interface and send crafted IOCTL requests to perform arbitrary kernel memory read and write operations, enabling full system compromise including credential theft and security product bypass. No public exploit code or CISA KEV listing has been identified at time of analysis; the vulnerability was reported to CERT/CC (VU#529388), and the provided CVSS score of 6.2 materially understates the real-world impact given the described kernel write capability.
Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.
Permission control failure in the Bluetooth module of Huawei HarmonyOS and EMUI exposes devices to local exploitation that can degrade Bluetooth service availability and leak limited data. The flaw, classified under CWE-264, allows a local process operating without elevated privileges to bypass Bluetooth permission enforcement, potentially disrupting connectivity or reading restricted information. No public exploit or CISA KEV listing exists at time of analysis, but Huawei has disclosed this via its July 2026 security bulletin.
Unvalidated chown in Samba's pam_winbind module allows a local user with narrow sudo delegation to transfer ownership of the root filesystem directory to a system account, causing system-wide denial of service on Red Hat Enterprise Linux 6 through 10. When mkhomedir is enabled and a system account has its home directory set to '/', any PAM-triggered authentication event run as that account via sudo invokes the chown without path sanitization. The resulting ownership change breaks SSH, sudo, and package-manager functionality, though the 0555 permissions on RHEL prevent write access escalation, confining the impact to high-severity availability loss. No public exploit or CISA KEV listing is identified at time of analysis.
Permission bypass in the HarmonyOS card module allows a local, unprivileged user - with required user interaction - to circumvent access controls, resulting in high availability impact alongside limited confidentiality and integrity exposure. The vulnerability affects Huawei HarmonyOS across all tracked versions per CPE data and is documented in Huawei's July 2026 security bulletin. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk constrained to local attack scenarios.
Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding USER_ADD/EDIT/DELETE rights mint a full SuperAdmin account through the POST /admin/api/user/add endpoint, resulting in complete instance takeover. The flaw stems from a missing SuperAdmin authorization guard, allowing a lower-privileged operator to submit isSuperAdmin: true with attacker-chosen credentials and then log in as that account. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Elevation of privileges in Dell PowerScale OneFS versions 9.5.0.0-9.10.1.7 and 9.11.0.0-9.13.0.2 allows a high-privileged local attacker to escalate beyond their authorized access level due to improper privilege management (CWE-269). While the CVSS 3.1 base score of 6.7 reflects the local access and high-privilege prerequisites that constrain exploitability, the full C:H/I:H/A:H impact triad signals complete system compromise upon successful exploitation - a serious outcome for enterprise NAS infrastructure that frequently stores sensitive organizational data. No public exploit code or CISA KEV listing has been identified at time of analysis.
Predictable default credentials in Ciena's Navigator Network Control Suite (NCS), Manage Control Plane (MCP), and Planner Plus OnPrem expose hidden system accounts used for internal software operations to remote attackers. These accounts carry limited permissions in isolation, but their known default passwords give an attacker a foothold that can be chained with other weaknesses to escalate privilege on the management system. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, so exploitation remains theoretical rather than demonstrated.
Privilege escalation in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows a remote, unauthenticated attacker to bypass authorization checks and gain unauthorized read and write access. Because the CVSS vector marks scope as changed (S:C) with PR:N and no user interaction, the attacker can act beyond the ColdFusion application boundary, yielding the maximum CVSS base score of 10.0. No public exploit is identified at time of analysis, and EPSS is low at 0.24% (15th percentile), indicating no observed weaponization yet despite the critical rating.
Privilege escalation in Woodpecker CI (v1.0.0 through v3.15.0) running the Kubernetes backend lets any user with Push permission on a connected repository set the pipeline pod's serviceAccountName to an arbitrary ServiceAccount in the pipeline namespace, inheriting its RBAC rights. Because the option was passed straight to the pod spec with no admin gating, a low-privilege contributor can pivot to a privileged ServiceAccount and exfiltrate secrets (DB credentials, API keys, TLS certs) or take over the cluster. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the fix is available in v3.16.0 via a default-off gating flag.
Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.
Unauthenticated arbitrary file write in OpenCost (all versions up to and including releases before 1.119.1) lets remote clients POST to the /serviceKey endpoint and overwrite the GCP service account key file (key.json) with attacker-controlled content, with no authentication and no input validation. An attacker can either corrupt the credential file to break GCP cost collection or inject their own valid service-account key to redirect the target's billing/cost data to an attacker-owned GCP project. Publicly available exploit code exists (a full reproducible PoC is in the GHSA advisory); no public evidence of active exploitation and no CISA KEV listing.
Local privilege escalation in the Windows Group Policy component allows an already-authenticated user to elevate to higher privileges (up to SYSTEM) on affected Windows 10, Windows 11, and Windows Server 2012-2025 systems. The flaw stems from improper privilege management (CWE-269) and is reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 and full confidentiality, integrity, and availability impact, it is a strong candidate for the monthly patch cycle on endpoints and domain-joined servers.
Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Improper privilege management in Microsoft Windows DNS allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in Microsoft Windows WalletService allows an authenticated low-privileged attacker to gain SYSTEM-level rights on the host, per CVSS:3.1 AV:L/AC:L/PR:L (7.8, High). The flaw stems from improper privilege management (CWE-269) in the WalletService component and affects a broad range of Windows client and server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch from Microsoft is available.
A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data. An authenticated user with sufficient privileges may be able to modify account settings and gain elevated administrative privileges.
Privilege escalation in Fortinet FortiSIEM Windows Agent 7.4.0 through 7.4.1 stems from an improper restriction of the agent's communication channel (CWE-923), letting an adjacent-network attacker interact with an endpoint that should be limited to trusted parties and thereby gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw was disclosed by Fortinet PSIRT (FG-IR-26-155) and carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is gated by high attack complexity, which materially reduces real-world likelihood despite the unauthenticated vector.
Local privilege escalation and kernel memory corruption in Zephyr RTOS on Xtensa SoCs (v3.7.0 through v4.4.0) built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, where arch_buffer_validate() fails open on an integer-overflow edge case, letting an unprivileged user thread trick the kernel into reading or writing arbitrary kernel/partition memory on its behalf. The flaw stems from a default-permit return value combined with a ROUND_UP address-space wrap that skips the MPU probe loop entirely, and it is not caught by the existing syscall-layer overflow guards. Vendor patch is available; no public exploit identified at time of analysis, and this is not in CISA KEV.
Local privilege escalation in the Citrix Secure Access Client and Citrix Endpoint Analysis (EPA) Client for Windows allows a low-privileged local user to gain higher (likely SYSTEM-level) privileges through improper privilege management (CWE-269). It affects Secure Access Client for Windows before 26.6.1.20 and Endpoint Analysis Client for Windows before 26.5.1.7, both of which run privileged Windows service/agent components on the endpoint. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Citrix rates the flaw high severity (CVSS 4.0 base 8.5) given full confidentiality, integrity, and availability impact once exploited.
Privilege escalation in Checkmk's mk_sap_hana agent plugin allows a local unprivileged user to execute arbitrary commands as root by planting a process whose name mimics a SAP HANA instance. The plugin, when running as root under the RUNAS=agent configuration and lacking explicit database configuration, blindly reads the OS process list to derive SAP HANA instance identifiers and injects them unsanitized into a shell command executed with root privileges - a textbook CWE-78 OS command injection. No public exploit code or CISA KEV listing exists at time of analysis, but the attack prerequisites are achievable on any misconfigured Checkmk deployment that monitors SAP environments.
Local privilege escalation in Siemens' IAM Client SDK, a shared authentication component bundled across a wide range of Siemens engineering and PLM products (Solid Edge, Teamcenter Visualization, Simcenter, Tecnomatix, COMOS, Designcenter NX), allows an authenticated local user to load attacker-controlled code through an untrusted search path (CWE-426) and gain elevated privileges. The flaw carries a CVSS 4.0 base score of 8.5 and requires only low local privileges with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. Rated CVSS 4.0 9.2 (Critical); no public exploit identified at time of analysis.
Local privilege escalation in the openSUSE Tumbleweed packaging of Suricata allows the unprivileged 'suricata' service account to gain root through a symbolic-link following flaw (CWE-61) in files or directories the package manages with predictable, service-writable paths. Any actor already holding the suricata user context - for example via a compromised or misconfigured IDS/IPS process - can plant a symlink that redirects a root-executed operation to a target of their choosing, yielding full system compromise. The CVSS 4.0 exploit-maturity metric is set to Proof-of-Concept (E:P); there is no evidence of active exploitation in CISA KEV, and no public exploit identified at time of analysis.
Local privilege escalation in Glarysoft Glary Utilities lets an already-present low-privileged attacker abuse the Disk Clean feature to delete arbitrary files and ultimately execute code as SYSTEM. Discovered and reported through the Zero Day Initiative (ZDI-26-402, ZDI-CAN-27004), it stems from the privileged cleanup service following filesystem junctions (CWE-59) planted by the attacker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but ZDI-sourced advisories are typically high-fidelity and reproducible.
Privilege escalation in OpenClaw 2026.5.20 through 2026.6.8 lets an already-authenticated, lower-trust caller abuse the plugin install command path to execute or persist actions beyond their intended authorization. The root cause is an incorrect permission assignment (CWE-732) on plugin installation, and the CVSS 4.0 vector (PR:L, UI:N, AV:N) shows a low-privileged remote actor can achieve high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the CVE is not in CISA KEV, but a GitHub Security Advisory (GHSA-7vrr-rp4x-4g76) and a VulnCheck advisory document it.
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.
Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (	) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.
Vertical privilege escalation in Shiori (go-shiori), the self-hosted Go bookmark manager, lets any authenticated low-privilege user promote themselves to administrator. By sending a crafted PATCH request to the /api/v1/auth/account update endpoint with owner: true - a field that lacked an authorization check - the user flips their own owner flag, then re-authenticates to receive an admin JWT granting full system access. Disclosed by VulnCheck with a vendor fix committed upstream; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.
Privilege escalation in the Apache Airflow FAB auth manager (apache-airflow-providers-fab before 3.7.2) lets a low-privileged user who is granted per-DAG access to a DAG literally named 'DAGs' silently receive the global all-DAGs permission, gaining read and edit access to every DAG in the deployment. The flaw stems from a resource-name collision in resource_name(), where the reserved global resource string 'DAGs' is indistinguishable from a legitimate dag_id of the same value. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation in Red Hat OpenShift's incluster-checks diagnostic tool lets any authenticated user holding the standard 'edit' RBAC role escalate to root on the underlying cluster nodes. The tool provisions privileged debug pods with host-filesystem access inside the shared default namespace, so a low-privileged tenant can simply exec into an existing pod and break out to the host. No public exploit identified at time of analysis, and no CISA KEV listing; EPSS data was not provided in the source intelligence.
Privilege escalation in the MailOptin WordPress plugin (by properfraction) affects all versions up to and including 1.2.77.3, stemming from incorrect privilege assignment (CWE-266). An attacker can obtain elevated privileges within the WordPress site, potentially reaching administrator-level control that yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported by Patchstack.
Privilege escalation in the Houzez Login Register WordPress plugin (versions up to and including 3.3.3) lets remote attackers obtain a higher-privileged role than intended due to incorrect privilege assignment (CWE-266). Reported by Patchstack with a CVSS 8.2 (high) score, the flaw carries a network vector with no privileges or user interaction required and a high integrity impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Privilege escalation in the MailerPress WordPress plugin (versions up to and including 2.0.2) lets an authenticated low-privilege user gain higher privileges through an incorrect privilege assignment flaw. The CVSS 3.1 vector (AV:N/AC:L/PR:L) indicates a network-reachable, low-complexity attack that any authenticated user can perform, yielding full confidentiality, integrity, and availability impact - effectively a takeover of the plugin's protected functionality or the WordPress site. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack.
Privilege escalation in the aBlocks WordPress plugin (Kodezen LLC) through version 2.9.1 allows an authenticated low-privileged user to elevate their permissions due to incorrect privilege assignment. With a CVSS of 8.8 (AV:N/AC:L/PR:L), a subscriber- or contributor-level account can gain elevated capabilities remotely over the network. No public exploit identified at time of analysis; the issue was disclosed by Patchstack.
Privilege escalation in D-Link DIR-1253 firmware v1.0.1.250923.142435 stems from improper handling of the /etc/shadow file - the store of hashed local credentials - letting an attacker obtain or elevate to root-level access on the device. Publicly available exploit code exists (referenced via the zuh.re/codeberg advisory), but there is no public exploit identified as actively exploited and the CVE is not on the CISA KEV list. The published CVSS of 9.8 (AV:N) appears optimistic given that the core issue centers on a local system credential file, so the true remote-unauthenticated reach should be verified against the vendor advisory.
Kernel memory corruption in the Zephyr RTOS (versions v1.14.0 through v4.4.0) lets an unprivileged user-mode thread corrupt the kernel's dynamic object-tracking list across the userspace security boundary. The flaw is a use-after-free race (CWE-416) in the obj_list traversal, exploitable only on builds combining CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, and can yield privilege escalation or a kernel crash. No public exploit identified at time of analysis; a vendor patch is available.
Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Privilege escalation in the Genolve AI image and video generation plugin for WordPress (all versions through 5.0.5) lets authenticated users with Contributor-level access or above update arbitrary WordPress options because the genolve_setOpt() function performs no capability check. By enabling the users_can_register option and setting default_role to administrator, a low-privileged user can register a new administrator account and fully take over the site. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Account takeover in the SureCart e-commerce plugin for WordPress (versions ≤ 4.2.3) lets unauthenticated attackers overwrite the email address of any WordPress user linked to a SureCart customer record during webhook-driven customer profile synchronization. Because the plugin does not verify the requester's identity before applying the update, an attacker who knows a victim's customer ID - including that of an administrator - can change the account email, trigger a password reset, and seize the account. No public exploit is identified at time of analysis, but the flaw was reported by Wordfence and carries a CVSS of 8.1.
Privilege escalation in the Simple JWT Login WordPress plugin (all versions through 3.6.6) lets an authenticated subscriber-level user forge an Administrator session by injecting arbitrary identity claims into the JWT payload. Because AuthenticateService::generatePayload() only overwrites payload keys that appear in the admin-configured jwt_payload allowlist, attacker-supplied claims such as email, id, or username survive and are signed with the site's HS256 secret; the token is then redeemed at /autologin to log in as any administrator. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.
Privilege escalation in the WP Grid Builder WordPress plugin (versions ≤ 2.3.3) lets an authenticated Subscriber-or-above user promote their own account to Administrator by sending a crafted nested-array payload to the `/wp-json/wpgb/v2/metadata` REST endpoint. The endpoint's `update()` handler lacks both an authorization check and meta-key validation, so an attacker can overwrite their own `wp_capabilities` user meta. No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; with CVSS 8.8 and low attack complexity, it is a high-priority patch for any site running this plugin.
Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM to post malformed commands to the GPU firmware, forcing an improper GPU register access that can be leveraged to gain elevated privileges. The flaw (CWE-280, improper handling of permissions) affects multiple DDK release branches from 1.18 through 26.1 and is rated CVSS 7.8 (local, low complexity). There is no public exploit identified at time of analysis, and its EPSS probability is low (0.14%).
Privilege escalation in Logto's self-hosted SAML IdP (before 1.41.0) lets an authenticated low-privilege user forge signed SAML attributes such as roles, enabling elevated access at any relying Service Provider that authorizes on SAML attributes. Because user-controlled profile fields (name, email, custom attribute-mapping values) were string-substituted into an unescaped XML template via samlify 2.10.0, an attacker embeds XML markup that Logto then cryptographically signs as legitimate. Rated CVSS 8.5 with scope change; no public exploit identified at time of analysis, but the fix is confirmed in release v1.41.0 with a corresponding GitHub advisory and commit.
Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.
Improper permission handling in Snipe-IT before 8.6.0 lets a privileged user strip another user's administrative or granular permissions when editing their account. Because UsersController::update() treats a missing permissions field as a sparse payload rather than a no-op, an administrator editing another administrator — or any user holding users.edit editing a regular account — can silently wipe the target's privileges. No public exploit identified at time of analysis; this is an authenticated integrity/availability issue rather than a remote takeover.
Privilege escalation in Adam Retail Automation's MobilMen 20T (versions v3 through build 10072026) lets an authenticated low-privileged user manipulate a user-controlled key (CWE-639) to access resources or actions belonging to other, higher-privileged accounts. The flaw carries CVSS 8.8 and was reported by Turkey's national CERT (TR-CERT), but no public exploit identified at time of analysis and it is not in CISA KEV. The vendor was contacted but did not respond, so no coordinated fix is confirmed.
Local privilege escalation in Lima (lima-vm) before 2.1.3 lets any unprivileged user inside a guest VM reach root when the instance runs the QEMU driver with the guest agent enabled. Because the world-reachable /run/lima-guestagent.sock exposes address tunneling - including Unix sockets for privileged daemons such as D-Bus - an in-guest attacker can proxy to root-owned services and execute arbitrary commands as root. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the `processes` table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.
Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own account to the reserved '__internal_auditor' identity and thereby inherit full tree-path access across all stored time-series data. The flaw stems from the system trusting a reserved auditor username without protecting it from ordinary user-driven renames, so a normal database user can self-promote to auditor-level authority. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported and fixed by the Apache project in 2.0.10.
Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.
An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components
Privilege escalation in Discourse (the open-source discussion platform) lets a newly registered user obtain whisper-group ('whisperer') privileges by supplying a primary_group_id during the signup flow, without ever being a legitimate member of that group. Exploitation only matters on sites that have configured whispers_allowed_groups, and success grants read access to staff-only whisper posts (a confidentiality-focused impact). EPSS is low (0.31%, 23rd percentile) and there is no public exploit identified at time of analysis, but the fix commits and GitHub advisory GHSA-vmwq-jvxx-jwfx confirm the flaw and its remediation.
{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.
Privilege escalation in Palo Alto Networks Prisma® Browser on macOS enables a locally authenticated administrator with access to the local filesystem to perform actions at root privilege level. The vulnerability is scoped exclusively to macOS deployments of Prisma Browser - no other platforms or Palo Alto products are implicated per the advisory. No public exploit identified at time of analysis; the CVSS 4.0 base score of 2.0 reflects the substantial exploitation prerequisites that materially constrain real-world risk despite the full-system impact potential at root level.
Privilege escalation in Palo Alto Networks Cortex XDR Broker VM permits locally authenticated users to perform operations as the root user within the appliance. The vulnerability is constrained to the Broker VM itself - the CVSS 4.0 vector (SC:N/SI:N/SA:N) confirms no scope change to subsequent or adjacent systems, limiting the blast radius to the VM appliance. No public exploit exists (E:U) and no CISA KEV listing is present; the vendor-assigned CVSS 4.0 score of 1.1 reflects this low-urgency posture.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is exposed to userspace with no security descriptor, leaving it fully accessible to unprivileged users. Any low-privileged local user on an affected Windows guest can interact with this facility to gain elevated control over the system. This is one of three sibling issues (alongside CVE-2025-27462 XenCons and CVE-2025-27464 XenBus) disclosed in Xen Security Advisory XSA-468; no public exploit has been identified at time of analysis.
Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).
Local file inclusion in DSpace's OAI-ORE Ingestion Crosswalk allows a collection administrator to expose arbitrary server-side files as ingested bitstreams by supplying or triggering a malicious ORE XML document referencing file:/// URIs. Versions 7.x through 7.6.6, 8.0-8.3, and 9.0-9.2 are confirmed affected; fixed releases (7.6.7, 8.4, 9.3, 10.0) are available per the GitHub security advisory. No public exploit and no CISA KEV listing exist at time of analysis; the CVSS score of 4.4 reflects meaningful constraints on exploitation (high privileges, high complexity).
{service} endpoint to download raw Frigate and nginx logs. Those logs record request query strings containing auto-generated admin passwords and camera credentials, so a viewer can harvest them and re-authenticate as administrator. No public exploit identified at time of analysis, but the flaw is mechanically trivial to abuse once any viewer session exists, and no fixed release has been identified.
Local privilege escalation in Omnissa Workspace ONE Tunnel for Windows lets an authenticated low-privileged local user abuse a path-traversal weakness (CWE-22) to gain higher (likely SYSTEM) privileges on the endpoint. The flaw affects the Windows Tunnel client used for per-app VPN in Workspace ONE managed fleets; no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high across confidentiality, integrity, and availability, but exploitation is confined to attackers who already have a local foothold on the machine.
Privilege escalation in the Themehunk Login Registration WordPress plugin (versions up to and including 1.0.2) allows unauthenticated attackers to self-register accounts with elevated roles - including editor - by supplying an arbitrary 'role' parameter to the publicly exposed /thlogin/v1/register REST endpoint. The handle_frontend_register() function validates the supplied role only against get_editable_roles(), which returns every administratively configurable role on the site, then passes it directly to wp_insert_user() without restricting it to the subscriber level expected for public self-registration. Exploitation is conditioned on public user registration being enabled on the target site; no public exploit code or CISA KEV listing has been identified at time of analysis.
Local privilege escalation to SYSTEM in Fuji Electric Pupsman before version 3.9.0 allows a low-privileged local user to drop a malicious executable into the weakly-permissioned installation directory, which is then run with SYSTEM privileges for full arbitrary code execution. Reported through JPCERT/CC (JVN JVN62347140); no public exploit identified and no active exploitation is confirmed at time of analysis. The CVSS 4.0 base score is 8.5 (High), reflecting complete confidentiality, integrity, and availability impact despite the local attack vector.
Privilege escalation in the Duoshuo (多说社会化评论框) social commenting plugin for WordPress (all versions through 1.2) lets remote attackers seize full administrator control. An unauthenticated, web-accessible API endpoint (api.php/LocalServer.php) exposes an `update_option` handler that lacks capability and nonce checks and relies on a trivially forgeable HMAC-SHA1 signature keyed on an always-empty option, allowing attackers to overwrite any WordPress option - for example flipping `default_role` to `administrator` and enabling open registration, then self-registering an admin account. No public exploit is identified at time of analysis, and it is not in CISA KEV, but the flaw is straightforward to weaponize.
Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys version 1.0.7.2 lets a standard user map arbitrary physical memory via the \Device\PhysicalMemory object and gain kernel-level control. The flaw affects Lenovo systems shipping this signed color-management driver and is fixed in version 1.0.7.6. Publicly available exploit code exists; there is no public exploit identified as actively exploited (not in CISA KEV), though the vulnerability was reported by CISA (cisa-cg).
Local privilege escalation in MSI Feature Manager (GameGaraj) stems from its bundled KernCoreLib64.sys kernel driver exposing IOCTL handlers that any logged-on user can reach without administrator rights, granting arbitrary physical memory read/write and unrestricted I/O port access. Any low-privileged user on an affected Windows host can leverage this to manipulate kernel objects, tamper with kernel callbacks, bypass Protected Process Light (PPL), and disable endpoint security. Publicly available exploit code exists (published by VulnCheck), though there is no public exploit identified as being used in active attacks at time of analysis.
Persistent privilege escalation in FOSSBilling versions prior to 0.8.0 lets a low-privileged staff account holding only the staff.create_and_edit_staff permission promote itself to arbitrary permissions via the admin API, defeating role-based access control. By calling /api/admin/staff/permissions_update against its own account, the staff user writes any permission structure and effectively gains full administrative control. Rated CVSS 4.0 8.5 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV, but the attack is trivially reproducible once a qualifying staff account exists.
Local privilege escalation in Linuxfabrik Monitoring Plugins (and the underlying linuxfabrik-lib Python library) lets an attacker who already controls the low-privileged nagios account execute arbitrary OS commands, typically as root. The flaw stems from the library's shell_exec() helper splitting assembled command strings on the pipe (|) character, so user-controlled plugin arguments such as restic-check's --repo can inject additional commands. Publicly available exploit code exists (a PoC is included in the vendor advisory), but the issue is not listed in CISA KEV and no EPSS score was provided.
{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.
Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Pardus Update (versions <=0.6.3, fixed in 0.6.6), the software-update component of TÜBİTAK BİLGEM's Debian-based Pardus Linux distribution, allows a low-privileged local user to perform actions they should not be authorized for and escalate to root-level control. The CWE-862 Missing Authorization flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in SourceCodester's Onlne Examination & Learning Management System 1.0 (the product name itself contains a typo - 'Onlne' instead of 'Online') exposes an unauthenticated registration endpoint at register.php where the role parameter is not server-side validated, allowing any remote actor to self-assign elevated privileges at account creation. A publicly available exploit has been published on Pastebin, confirming the attack is trivially reproducible. No CISA KEV listing exists, but the CVSS 4.0 E:P modifier and Pastebin reference corroborate working exploit availability; no vendor patch has been identified at time of analysis.
** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity in Input in the ASUS AI Suite 3 driver allows a local user to access unintended memory regions via crafted IOCTL requests,. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.
** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity in Input in the ASUS AI Suite 3 driver allows a local user to bypass security validation and access restricted memory blocks. Rated high severity (CVSS 7.3). No vendor patch available.
Local privilege escalation in WatchGuard Mobile VPN with SSL client for Windows (versions up to and including 2026.2) lets an authenticated local attacker elevate from a low-privileged account to NT AUTHORITY\SYSTEM on any machine where the client is installed. The flaw is rooted in insecure permission assignment (CWE-732), and there is no public exploit identified at time of analysis, though the vendor-reported nature and full high-impact CVSS (7.3, CVSS 4.0) make it a meaningful endpoint-hardening concern.
Local privilege escalation in Linuxfabrik monitoring-plugins arises from the shipped Debian.sudoers file, which grants the nagios user passwordless sudo to apt-get without constraining arguments (CWE-88 argument injection). Any attacker who already controls the nagios account can run 'sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh' to spawn a root shell. Publicly available exploit code exists (documented in the GitHub advisory PoC), but there is no public evidence of active exploitation and no CVSS score was assigned.
Privilege escalation in Weaviate vector database versions before 1.38.0 allows a user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to grant the built-in admin role (or any high-privilege custom role) to itself or others, obtaining full administrative control of the database. The flaw stems from the role-assignment handlers checking only that the caller may assign roles to a target, but never verifying the caller actually holds the permissions being conferred - unlike role creation, which enforces permission subset checks. Reported by VulnCheck with a vendor patch in v1.38.0; no public exploit identified at time of analysis.
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Privilege escalation in the LCweb PrivateContent WordPress plugin (all versions up to and including 9.9.2) lets attackers obtain permissions beyond those intended, driven by an incorrect privilege assignment flaw (CWE-266). The Patchstack-assigned CVSS of 9.8 (network, no privileges, no user interaction) implies an attacker could gain administrator-level control over a WordPress site's protected content and settings. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stale render context retention in ViewComponent::Base allows lower-privileged users to receive privileged UI from a prior admin render when component instances are reused across requests, tenants, or threads. Affected versions 4.0.0 through 4.11.x of the rubygems/view_component package fail to reset request-scoped instance variables between render_in calls, enabling cross-user authorization bypass, stale Host header injection into generated URLs, slot child context leakage, and cross-thread context corruption. A detailed publicly available proof-of-concept confirms all four impact vectors; no KEV listing is present, but the exploitability in realistic shared-registry patterns is directly demonstrated.
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-only Meteor methods that lack the admin authorization checks applied to their non-OIDC counterparts. By calling setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin over DDP, a low-privileged user can create or modify organizations and teams, and - when PROPAGATE_OIDC_DATA is enabled - groupRoutineOnLogin can grant that user global admin. No public exploit identified at time of analysis; the vendor fix (v9.32) is confirmed and the flaw carries a CVSS 4.0 base score of 7.6.
Improper privilege management in TDengine Cloud DB prior to 3.4.1.15 allows an authenticated Data Reader admin_user to execute `create udf` (user-defined function) commands that should be restricted to higher-privilege roles. While the same role is correctly denied `show dnodes` and `create user`, the UDF creation permission was left ungated, creating a privilege escalation path within the database engine. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.
Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.
{providerId} to drive organization provisioning, effectively escalating toward organization takeover. No public exploit identified at time of analysis; the flaw is fixed in 1.6.11 which adds the missing role check.
Privilege escalation to NT AUTHORITY\SYSTEM is achievable on Windows systems hosting the Pegatron Tdelo64.sys kernel-mode driver, which exposes the \\.\TdeIo device interface without enforcing caller privilege checks or validating user-supplied kernel memory addresses in its IOCTL dispatcher. Any local user can open the device interface and send crafted IOCTL requests to perform arbitrary kernel memory read and write operations, enabling full system compromise including credential theft and security product bypass. No public exploit code or CISA KEV listing has been identified at time of analysis; the vulnerability was reported to CERT/CC (VU#529388), and the provided CVSS score of 6.2 materially understates the real-world impact given the described kernel write capability.
Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.
Permission control failure in the Bluetooth module of Huawei HarmonyOS and EMUI exposes devices to local exploitation that can degrade Bluetooth service availability and leak limited data. The flaw, classified under CWE-264, allows a local process operating without elevated privileges to bypass Bluetooth permission enforcement, potentially disrupting connectivity or reading restricted information. No public exploit or CISA KEV listing exists at time of analysis, but Huawei has disclosed this via its July 2026 security bulletin.
Unvalidated chown in Samba's pam_winbind module allows a local user with narrow sudo delegation to transfer ownership of the root filesystem directory to a system account, causing system-wide denial of service on Red Hat Enterprise Linux 6 through 10. When mkhomedir is enabled and a system account has its home directory set to '/', any PAM-triggered authentication event run as that account via sudo invokes the chown without path sanitization. The resulting ownership change breaks SSH, sudo, and package-manager functionality, though the 0555 permissions on RHEL prevent write access escalation, confining the impact to high-severity availability loss. No public exploit or CISA KEV listing is identified at time of analysis.
Permission bypass in the HarmonyOS card module allows a local, unprivileged user - with required user interaction - to circumvent access controls, resulting in high availability impact alongside limited confidentiality and integrity exposure. The vulnerability affects Huawei HarmonyOS across all tracked versions per CPE data and is documented in Huawei's July 2026 security bulletin. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk constrained to local attack scenarios.
Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding USER_ADD/EDIT/DELETE rights mint a full SuperAdmin account through the POST /admin/api/user/add endpoint, resulting in complete instance takeover. The flaw stems from a missing SuperAdmin authorization guard, allowing a lower-privileged operator to submit isSuperAdmin: true with attacker-chosen credentials and then log in as that account. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Elevation of privileges in Dell PowerScale OneFS versions 9.5.0.0-9.10.1.7 and 9.11.0.0-9.13.0.2 allows a high-privileged local attacker to escalate beyond their authorized access level due to improper privilege management (CWE-269). While the CVSS 3.1 base score of 6.7 reflects the local access and high-privilege prerequisites that constrain exploitability, the full C:H/I:H/A:H impact triad signals complete system compromise upon successful exploitation - a serious outcome for enterprise NAS infrastructure that frequently stores sensitive organizational data. No public exploit code or CISA KEV listing has been identified at time of analysis.
Predictable default credentials in Ciena's Navigator Network Control Suite (NCS), Manage Control Plane (MCP), and Planner Plus OnPrem expose hidden system accounts used for internal software operations to remote attackers. These accounts carry limited permissions in isolation, but their known default passwords give an attacker a foothold that can be chained with other weaknesses to escalate privilege on the management system. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, so exploitation remains theoretical rather than demonstrated.
Privilege escalation in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows a remote, unauthenticated attacker to bypass authorization checks and gain unauthorized read and write access. Because the CVSS vector marks scope as changed (S:C) with PR:N and no user interaction, the attacker can act beyond the ColdFusion application boundary, yielding the maximum CVSS base score of 10.0. No public exploit is identified at time of analysis, and EPSS is low at 0.24% (15th percentile), indicating no observed weaponization yet despite the critical rating.
Privilege escalation in Woodpecker CI (v1.0.0 through v3.15.0) running the Kubernetes backend lets any user with Push permission on a connected repository set the pipeline pod's serviceAccountName to an arbitrary ServiceAccount in the pipeline namespace, inheriting its RBAC rights. Because the option was passed straight to the pod spec with no admin gating, a low-privilege contributor can pivot to a privileged ServiceAccount and exfiltrate secrets (DB credentials, API keys, TLS certs) or take over the cluster. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the fix is available in v3.16.0 via a default-off gating flag.
Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.
Unauthenticated arbitrary file write in OpenCost (all versions up to and including releases before 1.119.1) lets remote clients POST to the /serviceKey endpoint and overwrite the GCP service account key file (key.json) with attacker-controlled content, with no authentication and no input validation. An attacker can either corrupt the credential file to break GCP cost collection or inject their own valid service-account key to redirect the target's billing/cost data to an attacker-owned GCP project. Publicly available exploit code exists (a full reproducible PoC is in the GHSA advisory); no public evidence of active exploitation and no CISA KEV listing.
Local privilege escalation in the Windows Group Policy component allows an already-authenticated user to elevate to higher privileges (up to SYSTEM) on affected Windows 10, Windows 11, and Windows Server 2012-2025 systems. The flaw stems from improper privilege management (CWE-269) and is reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 and full confidentiality, integrity, and availability impact, it is a strong candidate for the monthly patch cycle on endpoints and domain-joined servers.
Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Improper privilege management in Microsoft Windows DNS allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in Microsoft Windows WalletService allows an authenticated low-privileged attacker to gain SYSTEM-level rights on the host, per CVSS:3.1 AV:L/AC:L/PR:L (7.8, High). The flaw stems from improper privilege management (CWE-269) in the WalletService component and affects a broad range of Windows client and server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch from Microsoft is available.
A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data. An authenticated user with sufficient privileges may be able to modify account settings and gain elevated administrative privileges.
Privilege escalation in Fortinet FortiSIEM Windows Agent 7.4.0 through 7.4.1 stems from an improper restriction of the agent's communication channel (CWE-923), letting an adjacent-network attacker interact with an endpoint that should be limited to trusted parties and thereby gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw was disclosed by Fortinet PSIRT (FG-IR-26-155) and carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is gated by high attack complexity, which materially reduces real-world likelihood despite the unauthenticated vector.
Local privilege escalation and kernel memory corruption in Zephyr RTOS on Xtensa SoCs (v3.7.0 through v4.4.0) built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, where arch_buffer_validate() fails open on an integer-overflow edge case, letting an unprivileged user thread trick the kernel into reading or writing arbitrary kernel/partition memory on its behalf. The flaw stems from a default-permit return value combined with a ROUND_UP address-space wrap that skips the MPU probe loop entirely, and it is not caught by the existing syscall-layer overflow guards. Vendor patch is available; no public exploit identified at time of analysis, and this is not in CISA KEV.
Local privilege escalation in the Citrix Secure Access Client and Citrix Endpoint Analysis (EPA) Client for Windows allows a low-privileged local user to gain higher (likely SYSTEM-level) privileges through improper privilege management (CWE-269). It affects Secure Access Client for Windows before 26.6.1.20 and Endpoint Analysis Client for Windows before 26.5.1.7, both of which run privileged Windows service/agent components on the endpoint. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Citrix rates the flaw high severity (CVSS 4.0 base 8.5) given full confidentiality, integrity, and availability impact once exploited.
Privilege escalation in Checkmk's mk_sap_hana agent plugin allows a local unprivileged user to execute arbitrary commands as root by planting a process whose name mimics a SAP HANA instance. The plugin, when running as root under the RUNAS=agent configuration and lacking explicit database configuration, blindly reads the OS process list to derive SAP HANA instance identifiers and injects them unsanitized into a shell command executed with root privileges - a textbook CWE-78 OS command injection. No public exploit code or CISA KEV listing exists at time of analysis, but the attack prerequisites are achievable on any misconfigured Checkmk deployment that monitors SAP environments.
Local privilege escalation in Siemens' IAM Client SDK, a shared authentication component bundled across a wide range of Siemens engineering and PLM products (Solid Edge, Teamcenter Visualization, Simcenter, Tecnomatix, COMOS, Designcenter NX), allows an authenticated local user to load attacker-controlled code through an untrusted search path (CWE-426) and gain elevated privileges. The flaw carries a CVSS 4.0 base score of 8.5 and requires only low local privileges with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. Rated CVSS 4.0 9.2 (Critical); no public exploit identified at time of analysis.
Local privilege escalation in the openSUSE Tumbleweed packaging of Suricata allows the unprivileged 'suricata' service account to gain root through a symbolic-link following flaw (CWE-61) in files or directories the package manages with predictable, service-writable paths. Any actor already holding the suricata user context - for example via a compromised or misconfigured IDS/IPS process - can plant a symlink that redirects a root-executed operation to a target of their choosing, yielding full system compromise. The CVSS 4.0 exploit-maturity metric is set to Proof-of-Concept (E:P); there is no evidence of active exploitation in CISA KEV, and no public exploit identified at time of analysis.
Local privilege escalation in Glarysoft Glary Utilities lets an already-present low-privileged attacker abuse the Disk Clean feature to delete arbitrary files and ultimately execute code as SYSTEM. Discovered and reported through the Zero Day Initiative (ZDI-26-402, ZDI-CAN-27004), it stems from the privileged cleanup service following filesystem junctions (CWE-59) planted by the attacker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but ZDI-sourced advisories are typically high-fidelity and reproducible.
Privilege escalation in OpenClaw 2026.5.20 through 2026.6.8 lets an already-authenticated, lower-trust caller abuse the plugin install command path to execute or persist actions beyond their intended authorization. The root cause is an incorrect permission assignment (CWE-732) on plugin installation, and the CVSS 4.0 vector (PR:L, UI:N, AV:N) shows a low-privileged remote actor can achieve high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the CVE is not in CISA KEV, but a GitHub Security Advisory (GHSA-7vrr-rp4x-4g76) and a VulnCheck advisory document it.
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.
Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (	) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.
Vertical privilege escalation in Shiori (go-shiori), the self-hosted Go bookmark manager, lets any authenticated low-privilege user promote themselves to administrator. By sending a crafted PATCH request to the /api/v1/auth/account update endpoint with owner: true - a field that lacked an authorization check - the user flips their own owner flag, then re-authenticates to receive an admin JWT granting full system access. Disclosed by VulnCheck with a vendor fix committed upstream; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.
Privilege escalation in the Apache Airflow FAB auth manager (apache-airflow-providers-fab before 3.7.2) lets a low-privileged user who is granted per-DAG access to a DAG literally named 'DAGs' silently receive the global all-DAGs permission, gaining read and edit access to every DAG in the deployment. The flaw stems from a resource-name collision in resource_name(), where the reserved global resource string 'DAGs' is indistinguishable from a legitimate dag_id of the same value. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation in Red Hat OpenShift's incluster-checks diagnostic tool lets any authenticated user holding the standard 'edit' RBAC role escalate to root on the underlying cluster nodes. The tool provisions privileged debug pods with host-filesystem access inside the shared default namespace, so a low-privileged tenant can simply exec into an existing pod and break out to the host. No public exploit identified at time of analysis, and no CISA KEV listing; EPSS data was not provided in the source intelligence.
Privilege escalation in the MailOptin WordPress plugin (by properfraction) affects all versions up to and including 1.2.77.3, stemming from incorrect privilege assignment (CWE-266). An attacker can obtain elevated privileges within the WordPress site, potentially reaching administrator-level control that yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported by Patchstack.
Privilege escalation in the Houzez Login Register WordPress plugin (versions up to and including 3.3.3) lets remote attackers obtain a higher-privileged role than intended due to incorrect privilege assignment (CWE-266). Reported by Patchstack with a CVSS 8.2 (high) score, the flaw carries a network vector with no privileges or user interaction required and a high integrity impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Privilege escalation in the MailerPress WordPress plugin (versions up to and including 2.0.2) lets an authenticated low-privilege user gain higher privileges through an incorrect privilege assignment flaw. The CVSS 3.1 vector (AV:N/AC:L/PR:L) indicates a network-reachable, low-complexity attack that any authenticated user can perform, yielding full confidentiality, integrity, and availability impact - effectively a takeover of the plugin's protected functionality or the WordPress site. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack.
Privilege escalation in the aBlocks WordPress plugin (Kodezen LLC) through version 2.9.1 allows an authenticated low-privileged user to elevate their permissions due to incorrect privilege assignment. With a CVSS of 8.8 (AV:N/AC:L/PR:L), a subscriber- or contributor-level account can gain elevated capabilities remotely over the network. No public exploit identified at time of analysis; the issue was disclosed by Patchstack.
Privilege escalation in D-Link DIR-1253 firmware v1.0.1.250923.142435 stems from improper handling of the /etc/shadow file - the store of hashed local credentials - letting an attacker obtain or elevate to root-level access on the device. Publicly available exploit code exists (referenced via the zuh.re/codeberg advisory), but there is no public exploit identified as actively exploited and the CVE is not on the CISA KEV list. The published CVSS of 9.8 (AV:N) appears optimistic given that the core issue centers on a local system credential file, so the true remote-unauthenticated reach should be verified against the vendor advisory.
Kernel memory corruption in the Zephyr RTOS (versions v1.14.0 through v4.4.0) lets an unprivileged user-mode thread corrupt the kernel's dynamic object-tracking list across the userspace security boundary. The flaw is a use-after-free race (CWE-416) in the obj_list traversal, exploitable only on builds combining CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, and can yield privilege escalation or a kernel crash. No public exploit identified at time of analysis; a vendor patch is available.
Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Privilege escalation in the Genolve AI image and video generation plugin for WordPress (all versions through 5.0.5) lets authenticated users with Contributor-level access or above update arbitrary WordPress options because the genolve_setOpt() function performs no capability check. By enabling the users_can_register option and setting default_role to administrator, a low-privileged user can register a new administrator account and fully take over the site. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Account takeover in the SureCart e-commerce plugin for WordPress (versions ≤ 4.2.3) lets unauthenticated attackers overwrite the email address of any WordPress user linked to a SureCart customer record during webhook-driven customer profile synchronization. Because the plugin does not verify the requester's identity before applying the update, an attacker who knows a victim's customer ID - including that of an administrator - can change the account email, trigger a password reset, and seize the account. No public exploit is identified at time of analysis, but the flaw was reported by Wordfence and carries a CVSS of 8.1.
Privilege escalation in the Simple JWT Login WordPress plugin (all versions through 3.6.6) lets an authenticated subscriber-level user forge an Administrator session by injecting arbitrary identity claims into the JWT payload. Because AuthenticateService::generatePayload() only overwrites payload keys that appear in the admin-configured jwt_payload allowlist, attacker-supplied claims such as email, id, or username survive and are signed with the site's HS256 secret; the token is then redeemed at /autologin to log in as any administrator. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.
Privilege escalation in the WP Grid Builder WordPress plugin (versions ≤ 2.3.3) lets an authenticated Subscriber-or-above user promote their own account to Administrator by sending a crafted nested-array payload to the `/wp-json/wpgb/v2/metadata` REST endpoint. The endpoint's `update()` handler lacks both an authorization check and meta-key validation, so an attacker can overwrite their own `wp_capabilities` user meta. No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; with CVSS 8.8 and low attack complexity, it is a high-priority patch for any site running this plugin.
Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM to post malformed commands to the GPU firmware, forcing an improper GPU register access that can be leveraged to gain elevated privileges. The flaw (CWE-280, improper handling of permissions) affects multiple DDK release branches from 1.18 through 26.1 and is rated CVSS 7.8 (local, low complexity). There is no public exploit identified at time of analysis, and its EPSS probability is low (0.14%).
Privilege escalation in Logto's self-hosted SAML IdP (before 1.41.0) lets an authenticated low-privilege user forge signed SAML attributes such as roles, enabling elevated access at any relying Service Provider that authorizes on SAML attributes. Because user-controlled profile fields (name, email, custom attribute-mapping values) were string-substituted into an unescaped XML template via samlify 2.10.0, an attacker embeds XML markup that Logto then cryptographically signs as legitimate. Rated CVSS 8.5 with scope change; no public exploit identified at time of analysis, but the fix is confirmed in release v1.41.0 with a corresponding GitHub advisory and commit.
Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.
Improper permission handling in Snipe-IT before 8.6.0 lets a privileged user strip another user's administrative or granular permissions when editing their account. Because UsersController::update() treats a missing permissions field as a sparse payload rather than a no-op, an administrator editing another administrator — or any user holding users.edit editing a regular account — can silently wipe the target's privileges. No public exploit identified at time of analysis; this is an authenticated integrity/availability issue rather than a remote takeover.
Privilege escalation in Adam Retail Automation's MobilMen 20T (versions v3 through build 10072026) lets an authenticated low-privileged user manipulate a user-controlled key (CWE-639) to access resources or actions belonging to other, higher-privileged accounts. The flaw carries CVSS 8.8 and was reported by Turkey's national CERT (TR-CERT), but no public exploit identified at time of analysis and it is not in CISA KEV. The vendor was contacted but did not respond, so no coordinated fix is confirmed.
Local privilege escalation in Lima (lima-vm) before 2.1.3 lets any unprivileged user inside a guest VM reach root when the instance runs the QEMU driver with the guest agent enabled. Because the world-reachable /run/lima-guestagent.sock exposes address tunneling - including Unix sockets for privileged daemons such as D-Bus - an in-guest attacker can proxy to root-owned services and execute arbitrary commands as root. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the `processes` table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.
Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own account to the reserved '__internal_auditor' identity and thereby inherit full tree-path access across all stored time-series data. The flaw stems from the system trusting a reserved auditor username without protecting it from ordinary user-driven renames, so a normal database user can self-promote to auditor-level authority. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported and fixed by the Apache project in 2.0.10.
Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.
An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components
Privilege escalation in Discourse (the open-source discussion platform) lets a newly registered user obtain whisper-group ('whisperer') privileges by supplying a primary_group_id during the signup flow, without ever being a legitimate member of that group. Exploitation only matters on sites that have configured whispers_allowed_groups, and success grants read access to staff-only whisper posts (a confidentiality-focused impact). EPSS is low (0.31%, 23rd percentile) and there is no public exploit identified at time of analysis, but the fix commits and GitHub advisory GHSA-vmwq-jvxx-jwfx confirm the flaw and its remediation.
{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.
Privilege escalation in Palo Alto Networks Prisma® Browser on macOS enables a locally authenticated administrator with access to the local filesystem to perform actions at root privilege level. The vulnerability is scoped exclusively to macOS deployments of Prisma Browser - no other platforms or Palo Alto products are implicated per the advisory. No public exploit identified at time of analysis; the CVSS 4.0 base score of 2.0 reflects the substantial exploitation prerequisites that materially constrain real-world risk despite the full-system impact potential at root level.
Privilege escalation in Palo Alto Networks Cortex XDR Broker VM permits locally authenticated users to perform operations as the root user within the appliance. The vulnerability is constrained to the Broker VM itself - the CVSS 4.0 vector (SC:N/SI:N/SA:N) confirms no scope change to subsequent or adjacent systems, limiting the blast radius to the VM appliance. No public exploit exists (E:U) and no CISA KEV listing is present; the vendor-assigned CVSS 4.0 score of 1.1 reflects this low-urgency posture.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is exposed to userspace with no security descriptor, leaving it fully accessible to unprivileged users. Any low-privileged local user on an affected Windows guest can interact with this facility to gain elevated control over the system. This is one of three sibling issues (alongside CVE-2025-27462 XenCons and CVE-2025-27464 XenBus) disclosed in Xen Security Advisory XSA-468; no public exploit has been identified at time of analysis.
Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).
Local file inclusion in DSpace's OAI-ORE Ingestion Crosswalk allows a collection administrator to expose arbitrary server-side files as ingested bitstreams by supplying or triggering a malicious ORE XML document referencing file:/// URIs. Versions 7.x through 7.6.6, 8.0-8.3, and 9.0-9.2 are confirmed affected; fixed releases (7.6.7, 8.4, 9.3, 10.0) are available per the GitHub security advisory. No public exploit and no CISA KEV listing exist at time of analysis; the CVSS score of 4.4 reflects meaningful constraints on exploitation (high privileges, high complexity).
{service} endpoint to download raw Frigate and nginx logs. Those logs record request query strings containing auto-generated admin passwords and camera credentials, so a viewer can harvest them and re-authenticate as administrator. No public exploit identified at time of analysis, but the flaw is mechanically trivial to abuse once any viewer session exists, and no fixed release has been identified.
Local privilege escalation in Omnissa Workspace ONE Tunnel for Windows lets an authenticated low-privileged local user abuse a path-traversal weakness (CWE-22) to gain higher (likely SYSTEM) privileges on the endpoint. The flaw affects the Windows Tunnel client used for per-app VPN in Workspace ONE managed fleets; no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high across confidentiality, integrity, and availability, but exploitation is confined to attackers who already have a local foothold on the machine.
Privilege escalation in the Themehunk Login Registration WordPress plugin (versions up to and including 1.0.2) allows unauthenticated attackers to self-register accounts with elevated roles - including editor - by supplying an arbitrary 'role' parameter to the publicly exposed /thlogin/v1/register REST endpoint. The handle_frontend_register() function validates the supplied role only against get_editable_roles(), which returns every administratively configurable role on the site, then passes it directly to wp_insert_user() without restricting it to the subscriber level expected for public self-registration. Exploitation is conditioned on public user registration being enabled on the target site; no public exploit code or CISA KEV listing has been identified at time of analysis.
Local privilege escalation to SYSTEM in Fuji Electric Pupsman before version 3.9.0 allows a low-privileged local user to drop a malicious executable into the weakly-permissioned installation directory, which is then run with SYSTEM privileges for full arbitrary code execution. Reported through JPCERT/CC (JVN JVN62347140); no public exploit identified and no active exploitation is confirmed at time of analysis. The CVSS 4.0 base score is 8.5 (High), reflecting complete confidentiality, integrity, and availability impact despite the local attack vector.
Privilege escalation in the Duoshuo (多说社会化评论框) social commenting plugin for WordPress (all versions through 1.2) lets remote attackers seize full administrator control. An unauthenticated, web-accessible API endpoint (api.php/LocalServer.php) exposes an `update_option` handler that lacks capability and nonce checks and relies on a trivially forgeable HMAC-SHA1 signature keyed on an always-empty option, allowing attackers to overwrite any WordPress option - for example flipping `default_role` to `administrator` and enabling open registration, then self-registering an admin account. No public exploit is identified at time of analysis, and it is not in CISA KEV, but the flaw is straightforward to weaponize.
Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys version 1.0.7.2 lets a standard user map arbitrary physical memory via the \Device\PhysicalMemory object and gain kernel-level control. The flaw affects Lenovo systems shipping this signed color-management driver and is fixed in version 1.0.7.6. Publicly available exploit code exists; there is no public exploit identified as actively exploited (not in CISA KEV), though the vulnerability was reported by CISA (cisa-cg).
Local privilege escalation in MSI Feature Manager (GameGaraj) stems from its bundled KernCoreLib64.sys kernel driver exposing IOCTL handlers that any logged-on user can reach without administrator rights, granting arbitrary physical memory read/write and unrestricted I/O port access. Any low-privileged user on an affected Windows host can leverage this to manipulate kernel objects, tamper with kernel callbacks, bypass Protected Process Light (PPL), and disable endpoint security. Publicly available exploit code exists (published by VulnCheck), though there is no public exploit identified as being used in active attacks at time of analysis.
Persistent privilege escalation in FOSSBilling versions prior to 0.8.0 lets a low-privileged staff account holding only the staff.create_and_edit_staff permission promote itself to arbitrary permissions via the admin API, defeating role-based access control. By calling /api/admin/staff/permissions_update against its own account, the staff user writes any permission structure and effectively gains full administrative control. Rated CVSS 4.0 8.5 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV, but the attack is trivially reproducible once a qualifying staff account exists.
Local privilege escalation in Linuxfabrik Monitoring Plugins (and the underlying linuxfabrik-lib Python library) lets an attacker who already controls the low-privileged nagios account execute arbitrary OS commands, typically as root. The flaw stems from the library's shell_exec() helper splitting assembled command strings on the pipe (|) character, so user-controlled plugin arguments such as restic-check's --repo can inject additional commands. Publicly available exploit code exists (a PoC is included in the vendor advisory), but the issue is not listed in CISA KEV and no EPSS score was provided.
{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.
Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Pardus Update (versions <=0.6.3, fixed in 0.6.6), the software-update component of TÜBİTAK BİLGEM's Debian-based Pardus Linux distribution, allows a low-privileged local user to perform actions they should not be authorized for and escalate to root-level control. The CWE-862 Missing Authorization flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in SourceCodester's Onlne Examination & Learning Management System 1.0 (the product name itself contains a typo - 'Onlne' instead of 'Online') exposes an unauthenticated registration endpoint at register.php where the role parameter is not server-side validated, allowing any remote actor to self-assign elevated privileges at account creation. A publicly available exploit has been published on Pastebin, confirming the attack is trivially reproducible. No CISA KEV listing exists, but the CVSS 4.0 E:P modifier and Pastebin reference corroborate working exploit availability; no vendor patch has been identified at time of analysis.
** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity in Input in the ASUS AI Suite 3 driver allows a local user to access unintended memory regions via crafted IOCTL requests,. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.
** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity in Input in the ASUS AI Suite 3 driver allows a local user to bypass security validation and access restricted memory blocks. Rated high severity (CVSS 7.3). No vendor patch available.
Local privilege escalation in WatchGuard Mobile VPN with SSL client for Windows (versions up to and including 2026.2) lets an authenticated local attacker elevate from a low-privileged account to NT AUTHORITY\SYSTEM on any machine where the client is installed. The flaw is rooted in insecure permission assignment (CWE-732), and there is no public exploit identified at time of analysis, though the vendor-reported nature and full high-impact CVSS (7.3, CVSS 4.0) make it a meaningful endpoint-hardening concern.
Local privilege escalation in Linuxfabrik monitoring-plugins arises from the shipped Debian.sudoers file, which grants the nagios user passwordless sudo to apt-get without constraining arguments (CWE-88 argument injection). Any attacker who already controls the nagios account can run 'sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh' to spawn a root shell. Publicly available exploit code exists (documented in the GitHub advisory PoC), but there is no public evidence of active exploitation and no CVSS score was assigned.
Privilege escalation in Weaviate vector database versions before 1.38.0 allows a user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to grant the built-in admin role (or any high-privilege custom role) to itself or others, obtaining full administrative control of the database. The flaw stems from the role-assignment handlers checking only that the caller may assign roles to a target, but never verifying the caller actually holds the permissions being conferred - unlike role creation, which enforces permission subset checks. Reported by VulnCheck with a vendor patch in v1.38.0; no public exploit identified at time of analysis.
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Privilege escalation in the LCweb PrivateContent WordPress plugin (all versions up to and including 9.9.2) lets attackers obtain permissions beyond those intended, driven by an incorrect privilege assignment flaw (CWE-266). The Patchstack-assigned CVSS of 9.8 (network, no privileges, no user interaction) implies an attacker could gain administrator-level control over a WordPress site's protected content and settings. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.