Skip to main content

Privilege Escalation

13299 CVEs technique

Monthly

CVE-2026-25203 HIGH This Week

Local privilege escalation in Samsung MagicINFO 9 Server versions prior to 21.1091.1 enables authenticated low-privileged users to escalate to high privileges through incorrect default file/directory permissions. Attackers with local access can obtain complete system control, compromising confidentiality, integrity, and availability. Attack requires local access and low-level authentication but no user interaction. No public exploit identified at time of analysis.

Samsung Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21916 HIGH PATCH This Week

Symbolic link manipulation in Juniper Networks Junos OS CLI enables authenticated local attackers with low privileges to escalate to root access. Exploitation requires two users: the first performs a 'file link ...' CLI operation, then after the second user commits unrelated configuration changes, the first user can authenticate as root, achieving full system compromise. Affects Junos OS versions across 23.2, 23.4, 24.2, 24.4, and 25.2 release trains prior to specified patch levels. No public exploit identified at time of analysis.

Privilege Escalation Juniper
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-35645 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that improperly uses a synthetic operator.admin runtime scope, allowing authenticated attackers to execute privileged operations with unintended administrative access by triggering session deletion without a request-scoped client. CVSS score of 6.1 reflects the requirement for low-level user authentication (PR:L) and network accessibility; patch availability is confirmed.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-35639 npm HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.3.22 enables authenticated attackers with operator.pairing approver role to escalate privileges to operator.admin through insufficient scope validation in the device.pair.approve method. Exploitation allows approval of device requests with broader operator scopes than the approver legitimately holds, ultimately enabling remote code execution on Node infrastructure. Affects OpenClaw deployments where role-based access control enforces operator privilege hierarchies. No public exploit identified at time of analysis.

RCE Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-35638 npm HIGH PATCH This Week

Privilege escalation in OpenClaw Control UI enables unauthenticated attackers to claim arbitrary privileged scopes without device identity verification. By exploiting the trusted-proxy mechanism's device-less allow path, attackers bypass authentication requirements and maintain elevated permissions across sessions. Affects OpenClaw versions prior to 2026.3.22. Attackers with low-privilege access can escalate to high-impact confidentiality and integrity compromise. No public exploit identified at time of analysis.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35625 npm HIGH PATCH This Week

Privilege escalation in OpenClaw (versions prior to 2026.3.25) enables authenticated local attackers to silently elevate permissions from operator.read to operator.admin during shared-auth reconnection events, achieving remote code execution on affected nodes. The vulnerability exploits auto-approval of scope-upgrade requests in local reconnection flows, requiring low-privilege local access (PR:L) with no user interaction. No public exploit identified at time of analysis. Vendor-released patch available via commit 81ebc7e0344fd19c85778e883bad45e2da972229.

RCE Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-33793 HIGH PATCH This Week

Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.

Privilege Escalation Juniper Python
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-39961 Go MEDIUM PATCH GHSA This Month

Aiven Operator versions 0.31.0 through 0.36.x allow developers with ClickhouseUser CRD creation permissions in their own namespace to exfiltrate secrets from arbitrary namespaces by exploiting a confused deputy vulnerability in the operator's ClusterRole. An attacker can craft a malicious ClickhouseUser resource that causes the operator to read privileged credentials (database passwords, API keys, service tokens) from production namespaces and write them into the attacker's namespace with a single kubectl apply command. The vulnerability is fixed in version 0.37.0.

Kubernetes Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-4878 HIGH PATCH This Week

Local privilege escalation in libcap's cap_set_file() function affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4, where a TOCTOU race condition allows an unprivileged user with write access to a parent directory to redirect file capability updates onto an attacker-controlled file. Successful exploitation can inject or strip Linux file capabilities on arbitrary executables, yielding full privilege escalation on the host. No public exploit identified at time of analysis and EPSS is 0.01%, but a vendor patch is available.

Privilege Escalation Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +2
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-34179 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. The vulnerability stems from missing Type field validation in doCertificateUpdate function when processing PUT/PATCH requests to the certificates API endpoint. Attack scope is changed (S:C), allowing attackers to break containment and achieve full cluster compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.

Canonical Privilege Escalation
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-34177 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in Canonical LXD 4.12-6.7 allows authenticated remote attackers with VM instance editing rights to bypass project restrictions via incomplete denylist validation. Attackers inject AppArmor rules and QEMU chardev configurations through unblocked raw.apparmor and raw.qemu.conf keys, bridging the LXD Unix socket into guest VMs. Successful exploitation enables escalation to LXD cluster administrator and subsequently to host root access. No public exploit identified at time of analysis. Authenticated remote exploitation (PR:H) with cross-scope impact on confidentiality, integrity, and availability.

Canonical Privilege Escalation
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-29923 HIGH This Week

PowerStrip driver (pstrip64.sys) through version 3.90.736 enables authenticated local users to escalate privileges to SYSTEM by sending malicious IOCTL requests that map arbitrary physical memory into user-mode address space, allowing modification of kernel structures. EPSS score of 0.02% (5th percentile) indicates low automated exploitation likelihood, though publicly available exploit code exists (PacketStorm Security reference), making this a realistic threat in environments where PowerStrip is deployed and local access is possible. No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Privilege Escalation N A
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30478 HIGH This Week

DLL injection in GatewayGeo MapServer for Windows version 5 enables authenticated local attackers to escalate privileges to SYSTEM level through crafted executable placement. The vulnerability exploits insecure library loading paths, allowing low-privileged users to inject malicious DLLs that execute with elevated permissions. Publicly available exploit code exists. Affects Windows deployments only; CVSS 8.8 reflects local attack vector requiring low privileges but achieving full system compromise across security boundaries.

Privilege Escalation Microsoft
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39415 MEDIUM PATCH This Month

Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores via client-side manipulation using browser developer tools before submission. This vulnerability compromises the integrity of quiz results and academic reliability without enabling privilege escalation, unauthorized account access, or exposure of confidential information. The fix is available in version 2.46.0, and no public exploit code or active exploitation has been identified at the time of analysis.

Privilege Escalation Authentication Bypass Lms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-20709 MEDIUM This Month

Use of a default cryptographic key in Intel Pentium Processor Silver Series, Celeron Processor J Series, and Celeron Processor N Series hardware allows privilege escalation when a hardware reverse engineer with privileged user access performs a high-complexity physical attack with special internal knowledge. The vulnerability has a CVSS score of 5.8 with physical attack vector (AV:P) and high attack complexity (AC:H), requiring privileged access (PR:H) and special attack time requirements (AT:P). No public exploit code or active CISA KEV designation has been identified.

Intel Privilege Escalation Red Hat
NVD VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-27806 Go HIGH PATCH GHSA This Week

Local privilege escalation to root in Fleet Orbit agent (macOS) allows authenticated local users to inject arbitrary Tcl commands via malformed FileVault password input. The vulnerability stems from unsafe interpolation of user-supplied passwords into expect scripts executed as root. CVSS 7.8 (High) with EPSS data unavailable; no public exploit identified at time of analysis, though exploitation requires only a specially crafted password containing closing brace characters. Impacts organizations using Fleet's macOS disk encryption management.

Command Injection Privilege Escalation
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-4498 HIGH This Week

Authenticated Kibana users with Fleet management privileges can read Elasticsearch index data beyond their intended RBAC permissions through debug route handlers in the Fleet plugin. This scope bypass affects Elastic Kibana deployments where users hold Fleet sub-feature privileges (agent policies, settings management). The vulnerability requires low-privilege authentication (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), enabling cross-scope data confidentiality breach (S:C/C:H). No public exploit identified at time of analysis. EPSS data not available, but the specific privilege escalation vector and remote exploitability warrant prioritization in Kibana Fleet deployments.

Privilege Escalation Elastic
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-39429 Go HIGH PATCH GHSA This Week

Unauthenticated access to kcp root shard cache server exposes cluster topology, RBAC policies, and API configurations to network-reachable attackers. The cache server at /services/cache/* bypasses authentication and authorization middleware, allowing any attacker with network access to the root shard (CVSS:3.1/AV:N/AC:L/PR:N) to read replicated resources including ClusterRoles, LogicalClusters, Shards, APIExports, and admission control policies. A secondary race condition permits temporary privi

Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-58713 MEDIUM This Month

Red Hat Process Automation Manager container images allow local privilege escalation when the /etc/passwd file is created with group-writable permissions during the build process. An attacker with non-root command execution capability who is a member of the root group can modify /etc/passwd to create a new user with UID 0, gaining full root privileges within the container. This requires high privileges (membership in root group) and challenging conditions (AC:H), but affects all versions of Red Hat Process Automation 7 distributed as container images. No public exploit code has been identified at the time of analysis.

Red Hat Privilege Escalation
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-57853 MEDIUM This Month

Container privilege escalation in Red Hat Web Terminal allows local attackers with group membership to modify the /etc/passwd file and create arbitrary user accounts including root. The vulnerability stems from overly permissive group-writable permissions on /etc/passwd during image build, enabling privilege escalation from non-root container users to full root access within the container. Red Hat Web Terminal across multiple versions is affected; no public exploit code or active exploitation has been reported at the time of analysis.

Privilege Escalation Red Hat Web Terminal
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-57854 MEDIUM This Month

Privilege escalation in OpenShift Update Service (OSUS) container images allows local attackers with high privileges to gain root access by modifying the group-writable /etc/passwd file created during build time. An attacker executing commands within an affected container can leverage root group membership to inject a new user with UID 0, achieving full container root privileges. No public exploit code or active exploitation has been identified at the time of analysis.

Privilege Escalation Red Hat Openshift Update Service
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-57851 MEDIUM This Month

Container privilege escalation in Red Hat Multicluster Engine for Kubernetes allows authenticated local attackers to escalate from non-root container execution to full root privileges by exploiting group-writable permissions on the /etc/passwd file created during container image build time, enabling arbitrary UID assignment including UID 0.

Privilege Escalation Kubernetes
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-57847 MEDIUM This Month

Container privilege escalation in Red Hat Ansible Automation Platform 2 allows non-root users within affected container images to gain root privileges by modifying the group-writable /etc/passwd file. During the container build process, /etc/passwd is created with overly permissive group-write permissions, enabling any user in the root group to add arbitrary entries including a UID 0 account. This vulnerability requires local container execution access and elevated group membership, but results in complete container compromise when exploited.

Privilege Escalation Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5795 Maven HIGH PATCH GHSA This Week

Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.

Privilege Escalation Eclipse Jetty
NVD GitHub HeroDevs VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-4483 HIGH PATCH This Week

Moxa MxGeneralIo utility versions prior to 1.4.0/1.5.0 expose IOCTL interfaces allowing authenticated high-privilege local attackers to directly access Model-Specific Registers (MSR) and system memory, enabling privilege escalation on Windows 7 or denial-of-service crashes (BSoD) on Windows 10/11. While CVSS 7.0 reflects high availability impact and network attack vector classification, the actual exploit requires local high-privilege access (PR:H), significantly reducing practical risk. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept has been identified at time of analysis, though vendor advisory confirms patch availability.

Microsoft Privilege Escalation
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-3480 MEDIUM This Month

WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress Privilege Escalation Authentication Bypass Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4003 CRITICAL Act Now

Arbitrary user metadata modification in Users Manager - PN plugin for WordPress (versions ≤1.1.15) allows unaneticated remote attackers to escalate privileges and hijack accounts. The vulnerability stems from flawed authorization logic in userspn_ajax_nopriv_server() that fails to verify authentication when user_id is supplied, combined with publicly exposed nonce values. Attackers can modify critical user metadata including userspn_secret_token for any WordPress user. CVSS 9.8 (Critical). EPSS data not available. No public exploit identified at time of analysis, but exploitation requires only HTTP requests with predictable parameters.

WordPress Privilege Escalation Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-1346 CRITICAL PATCH Act Now

Local privilege escalation to root in IBM Verify/Security Verify Access products 10.0-11.0.2 allows unauthenticated local users to gain full system control via excessive process privileges (CWE-250). The CVSS 9.3 score reflects local attack vector but no authentication requirement (PR:N) and complete system compromise with scope change. Patch available per vendor advisory. No public exploit identified at time of analysis, though the local attack vector and low complexity (AC:L) suggest straightforward exploitation once local access is obtained.

IBM Privilege Escalation
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-35574 HIGH PATCH This Week

Stored XSS in ChurchCRM Note Editor enables authenticated users to execute arbitrary JavaScript in victims' browsers, leading to session hijacking and privilege escalation against administrators managing sensitive church member data. Affects ChurchCRM versions prior to 6.5.3. CVSS 7.3 (High) reflects network-accessible attack requiring low-privilege authentication and user interaction. EPSS and KEV data not provided; no public exploit identified at time of analysis. Vendor patch released in version 6.5.3.

XSS Privilege Escalation Authentication Bypass Churchcrm
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-22683 HIGH POC This Week

Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execution. Operators can bypass documented role restrictions via unprotected backend API endpoints to create/modify scripts, flows, and apps, then execute arbitrary code through the jobs API. Public exploit code exists (GitHub: Chocapikk/Windfall). EPSS data unavailable, but the low attack complexity (AC:L), network access vector (AV:N), and availability of weaponized POC indicate elevated real-world risk for self-hosted Windmill deployments with Operator-level users.

Privilege Escalation RCE Authentication Bypass Flow Windmill
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-27314 Maven HIGH PATCH GHSA This Week

Apache Cassandra 5.0 through 5.0.6 in mTLS environments using MutualTlsAuthenticator allows authenticated users with only CREATE permission to escalate privileges to superuser via certificate identity manipulation through the ADD IDENTITY command. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with SSVC indicating non-automatable exploitation but total technical impact. Apache released patch version 5.0.7+ addressing this privilege escalation flaw (CWE-267: Privilege Defined With Unsafe Actions).

Privilege Escalation Apache
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-35607 Go HIGH PATCH GHSA This Week

Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. This affects File Browser instances using proxy authentication for automatic user provisioning. No public exploit identified at time of analysis, though EPSS probability warrants attention given the network-accessible attack surface and high confidentiality/integrity impact.

Privilege Escalation Filebrowser
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-4740 Go HIGH PATCH GHSA This Week

Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.

Privilege Escalation Red Hat Kubernetes Multicluster Engine For Kubernetes
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-5373 HIGH PATCH This Week

Improper privilege management in runZero Platform allows organization administrators to escalate privileges to superuser status. Authenticated admin users with high privileges (PR:H) can exploit this network-accessible flaw (AV:N) with user interaction (UI:R) to gain unauthorized superuser access, potentially compromising confidentiality and integrity across organizational boundaries (scope changed to C). Fixed in version 4.0.260202.0. EPSS risk data not available; no public exploit identified at time of analysis.

Privilege Escalation Platform
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-39666 CRITICAL PATCH Act Now

Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site context files processed by the root-executed 'omd' administrative command. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and 2.5.0 beta before b3. No public exploit identified at time of analysis. CVSS 9.3 reflects total technical impact, but SSVC assessment indicates non-automatable exploitation requiring existing high-privilege access, tempering the real-world urgency for organizations with strict site user access controls.

Privilege Escalation Checkmk
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-20433 HIGH This Week

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack s

Buffer Overflow Privilege Escalation Memory Corruption Mediatek Chipset
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-20432 HIGH This Week

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment connects to an attacker-controlled rogue cellular base station. Affects 57 MediaTek chipset models across MT67xx, MT68xx, MT69xx, MT87xx, and MT27xx families used in mobile devices. Authentication not required (CVSS PR:N) but requires adjacent network access and user interaction to connect to malicious base station. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though vendor patch MOLY01406170 has been released per April 2026 MediaTek security bulletin.

Buffer Overflow Privilege Escalation Memory Corruption Mediatek Chipset
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-5708 HIGH PATCH This Week

Privilege escalation in AWS Research and Engineering Studio (RES) versions prior to 2026.03 allows authenticated remote attackers to assume virtual desktop host instance profile permissions and interact with AWS resources via crafted API requests. The vulnerability stems from unsanitized user-modifiable attributes in session creation. CVSS 8.7 (High) with network attack vector, low complexity, and requiring low privileges. Vendor-released patch available (version 2026.03). EPSS data not provided; no public exploit identified at time of analysis.

Privilege Escalation Research And Engineering Studio Res
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-14032 HIGH POC This Week

Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE Authentication Bypass Twitch Studio
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-33727 MEDIUM PATCH This Month

Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.

Privilege Escalation RCE Pi Hole
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2016-20061 HIGH POC This Week

sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Sheed Antivirus
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2016-20060 HIGH POC This Week

Hotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attackers to escalate privileges by injecting malicious executables. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Hotspot Shield
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2016-20059 HIGH POC This Week

IObit Malware Fighter 4.3.1 contains an unquoted service path vulnerability in the IMFservice and LiveUpdateSvc services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Iobit Malware Fighter
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2016-20058 HIGH POC This Week

Netgate AMITI Antivirus build 23.0.305 contains an unquoted service path vulnerability in the AmitiAvSrv and AmitiAntivirusHealth services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Netgate Amiti Antivirus
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20057 HIGH POC This Week

NETGATE Registry Cleaner build 16.0.205 contains an unquoted service path vulnerability in the NGRegClnSrv service that allows local attackers to escalate privileges by exploiting the service binary. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Netgate Registry Cleaner
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20056 HIGH POC This Week

Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Spy Emergency
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2016-20055 HIGH POC This Week

IObit Advanced SystemCare 10.0.2 contains an unquoted service path vulnerability in the AdvancedSystemCareService10 service that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Iobit Advanced Systemcare
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-35463 PyPI HIGH PATCH GHSA This Week

Remote code execution in pyLoad download manager allows authenticated non-admin users with SETTINGS permission to execute arbitrary system commands via the AntiVirus plugin configuration. The vulnerability stems from incomplete enforcement of admin-only security controls: while core configuration options like reconnect scripts and SSL certificates require admin privileges, plugin configuration lacks this protection. Attackers can modify the AntiVirus plugin's executable path (avfile) parameter, which is directly passed to subprocess.Popen() without validation, achieving command execution when file downloads complete. CVSS 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in the GitHub security advisory.

Python RCE Privilege Escalation Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-35412 npm HIGH PATCH GHSA This Week

Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Privilege Escalation Authentication Bypass File Upload
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-7024 MEDIUM This Month

AIRBUS TETRA Connectivity Server 7.0 on Windows Server allows privilege escalation to SYSTEM via incorrect default directory permissions (CWE-276), enabling local authenticated attackers to execute arbitrary code by placing a crafted file in a vulnerable directory with user interaction. The vulnerability affects TETRA Connectivity Server version 7.0, with patches available for versions 8.0 and 9.0. No public exploit code or active exploitation in the wild has been identified at time of analysis.

Privilege Escalation RCE Microsoft
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2026-35039 npm CRITICAL PATCH GHSA Act Now

Cache key collisions in fast-jwt's custom cacheKeyBuilder implementations enable token confusion attacks, allowing remote attackers to impersonate users and escalate privileges without authentication. The vulnerability affects Node.js applications using fast-jwt with both caching enabled AND custom cache key builder functions that generate non-unique keys. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation likelihood is high given the network-accessible attack vector (AV:N) and low complexity (AC:L). Applications using default caching behavior are NOT affected.

Privilege Escalation
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34989 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting (XSS) in ci4-cms-erp/ci4ms profile management enables privilege escalation to full administrative compromise. Attackers inject malicious JavaScript payloads through unsanitized profile name fields, which execute persistently across multiple application interfaces including administrative user management pages and public-facing blog views. When administrators access affected pages, the stored payload executes in their browser context, enabling session hijacking and complete account takeover. Vendor patch available per GitHub security advisory. This represents a critical privilege escalation vector requiring immediate remediation in any deployment with multiple user roles.

Privilege Escalation XSS
NVD GitHub
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-35535 HIGH POC PATCH CISA Act Now

Local privilege escalation in Sudo through 1.9.17p2 (fixed in commit 3e474c2) arises because a failed setuid, setgid, or setgroups call during the privilege drop that precedes invoking the mailer is treated as non-fatal, allowing the mailer to run with retained elevated privileges. Local users on systems where Sudo is configured to send mail can leverage this to gain root, with total technical impact per CISA SSVC. EPSS is 0.00% and there is no public exploit identified at time of analysis, consistent with SSVC marking exploitation as none.

Privilege Escalation Sudo
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
Threat
5.1
CVE-2023-7343 HIGH This Week

HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Hirschmann Industrial Hivision
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2023-7342 HIGH This Week

HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Hirschmann Hisecos Eagle
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-44250 HIGH PATCH This Week

A permissions issue was addressed with additional restrictions. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

RCE Apple Privilege Escalation
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-34877 CRITICAL PATCH Act Now

Mbed TLS versions 2.19.0 through 3.6.5 and 4.0.0 allow remote code execution through memory corruption when attackers modify serialized SSL context or session structures. The vulnerability stems from insufficient validation of deserialized data, enabling arbitrary code execution on systems using affected versions. CISA KEV status and active exploitation data not confirmed in provided intelligence.

RCE Privilege Escalation Buffer Overflow Mbed Tls
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33271 MEDIUM PATCH This Month

Local privilege escalation in Acronis True Image for Windows before build 42902 allows authenticated users with low privileges to escalate to higher privileges through insecure folder permissions. An attacker with local access and user-level privileges can exploit improper permission settings on critical directories to achieve full system compromise, requiring user interaction (file execution or folder navigation). This vulnerability has a CVSS score of 6.7 reflecting high confidentiality, integrity, and availability impact despite the elevated barriers to exploitation.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.0
6.7
EPSS
0.0%
CVE-2026-27774 MEDIUM PATCH This Month

Local privilege escalation in Acronis True Image (Windows) before build 42902 allows authenticated users with low privileges to gain high-integrity access through DLL hijacking. An attacker with local user access can exploit unsafe DLL loading to execute arbitrary code with elevated permissions, requiring user interaction (e.g., triggering a specific application action). No public exploit code or active exploitation has been confirmed at the time of analysis.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.0
6.7
EPSS
0.0%
CVE-2026-28728 MEDIUM PATCH This Month

Local privilege escalation in Acronis True Image for Windows before build 42902 exploits DLL hijacking to allow authenticated users to escalate privileges. An attacker with local access and valid credentials can manipulate DLL load paths during application execution, requiring user interaction (such as opening a file or launching a feature), to gain elevated system privileges. This vulnerability has a CVSS score of 6.7 and affects all versions prior to the patched build.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.0
6.7
EPSS
0.0%
CVE-2026-33950 npm CRITICAL PATCH GHSA Act Now

Unauthenticated privilege escalation in SignalK Server (versions prior to 2.24.0-beta.4) allows remote attackers to inject administrator roles via the /enableSecurity endpoint, granting full administrative control without credentials. Attackers can modify vessel routing data, alter server configurations, and access all restricted endpoints. No public exploit identified at time of analysis, but the critical CVSS 9.4 score reflects the trivial exploit complexity (AV:N/AC:L/PR:N) and high confidentiality/integrity impact to marine vessel control systems.

Privilege Escalation Authentication Bypass Signalk Server
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-4282 Maven HIGH PATCH GHSA This Week

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level access tokens. The SingleUseObjectProvider's lack of type and namespace isolation permits attackers to forge valid authorization codes remotely, though exploitation requires high complexity (AC:H). No public exploit identified at time of analysis, with CVSS 7.4 indicating high confidentiality and integrity impact but no availability disruption.

Privilege Escalation Red Hat Build Of Keycloak
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-21765 HIGH This Week

Local privilege escalation in HCL BigFix Platform on Windows allows authenticated users with low privileges to access cryptographic private keys due to overly permissive file system permissions, potentially enabling complete system compromise with cross-scope impact. Authentication required (PR:L). No public exploit identified at time of analysis, though the attack is rated low complexity and fully automated. CVSS 8.8 severity driven by scope change and complete confidentiality/integrity/availability impact.

Microsoft Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25212 CRITICAL Act Now

Percona PMM (Percona Monitoring and Management) versions prior to 3.7 allow authenticated users with pmm-admin privileges to execute arbitrary operating system commands by exploiting excessive database superuser privileges through the 'Add data source' feature. This privilege escalation vulnerability enables container/system breakout from database context to shell access. EPSS score is low (0.04%, 13th percentile) indicating minimal observed exploitation activity, and CISA SSVC assessment confirms no active exploitation with non-automatable attack characteristics, though technical impact is rated total.

Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-34974 PHP MEDIUM PATCH GHSA This Month

Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like javascript: (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.

PHP XSS Privilege Escalation Google Chrome
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34783 Go HIGH PATCH GHSA This Week

Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profile

Path Traversal RCE Privilege Escalation PHP Python
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-34571 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in CI4MS backend user management allows authenticated attackers with low-level privileges to inject malicious JavaScript that executes automatically when administrators access affected pages, enabling session hijacking and full administrative account takeover. The vulnerability affects all versions prior to 0.31.0.0 with a critical CVSS score of 9.9 due to scope change and high impact across confidentiality, integrity, and availability. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, though the technical barrier is low (AC:L, PR:L).

XSS Privilege Escalation Ci4ms
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-34397 MEDIUM PATCH This Month

Local privilege escalation in Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 allows authenticated users to assume privileged group membership when their Azure Entra ID-mapped CN or short name collides with system group names (sudo, wheel, docker, adm, etc.). The NSS module resolves the collision to the attacker's fake primary group, potentially granting group-level privileges if the system uses NSS for authorization decisions. CVSS 6.3 (medium); no public exploit identified at time of analysis.

Microsoft Privilege Escalation Docker Suse
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-35099 HIGH PATCH This Week

Local privilege escalation to SYSTEM via race condition in Lakeside SysTrack Agent 11 (versions prior to 11.2.1.28) allows unauthenticated local attackers to gain complete system control through timing-dependent exploitation. EPSS risk assessment and KEV status not available at time of analysis; no public exploit identified at time of analysis. Attack complexity is rated high, requiring precise timing manipulation of concurrent operations.

Privilege Escalation Race Condition Systrack Agent
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-3775 HIGH This Week

DLL search path hijacking in Foxit PDF Editor and Foxit PDF Reader update services enables local privilege escalation to SYSTEM. Low-privileged authenticated users can plant malicious libraries in writable directories that are resolved during update checks, achieving arbitrary code execution with elevated privileges. CVSS 7.8 (High) with low attack complexity. No public exploit identified at time of analysis, EPSS data not provided.

Privilege Escalation RCE Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-3780 HIGH This Week

Installer privilege escalation in Foxit PDF Reader and Foxit PDF Editor allows local authenticated users to execute arbitrary code with elevated system privileges via DLL search path manipulation. The installer's failure to use absolute paths for system executables enables attackers to plant malicious DLLs in user-writable directories that take precedence during installation, exploiting the trusted installer's elevated permissions. EPSS data not available; no public exploit identified at time of analysis; not listed in CISA KEV.

Privilege Escalation Foxit Pdf Reader Foxit Pdf Editor
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-34528 Go HIGH PATCH GHSA This Week

File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.

Privilege Escalation Node.js
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-34529 Go HIGH PATCH GHSA This Week

Stored XSS in File Browser's EPUB preview function (versions ≤v2.62.1) allows authenticated attackers to steal JWT tokens and escalate privileges by uploading malicious EPUB files. The vulnerability arises from passing allowScriptedContent:true to the epub.js library combined with an ineffective iframe sandbox (allow-scripts + allow-same-origin), enabling JavaScript in crafted EPUBs to access parent frame localStorage. CVSS 7.6 (AV:N/AC:L/PR:L/UI:R/S:C). No public exploit identified at time of analysis beyond the detailed PoC in the advisory. EPSS data not available. Vendor-released patch available per GitHub advisory. Low-privilege users with file upload permissions can weaponize this to compromise administrator sessions.

XSS Privilege Escalation Python Docker Mozilla
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-32871 PyPI CRITICAL PATCH GHSA Act Now

Server-Side Request Forgery (SSRF) in FastMCP's OpenAPIProvider allows authenticated attackers to access arbitrary backend endpoints through path traversal injection in OpenAPI path parameters. The vulnerability arises from improper URL encoding in the RequestDirector._build_url() method, enabling attackers to escape intended API prefixes using '../' sequences and reach internal administrative or sensitive endpoints while inheriting the MCP provider's authentication context. This affects the fastmcp Python package and enables privilege escalation beyond the OpenAPI specification's intended API surface. No public exploit identified at time of analysis, though detailed proof-of-concept code exists in the GitHub advisory demonstrating traversal to /admin endpoints.

SSRF Path Traversal Authentication Bypass Privilege Escalation Python
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-25726 Go HIGH PATCH GHSA This Week

Weak pseudo-random number generation in Cloudreve enables JWT forgery and complete account takeover on instances initialized before v4.10.0. Attackers can brute-force the PRNG seed (achievable in under 3 hours on consumer hardware) by obtaining administrator creation timestamps via public APIs and validating against known hashids, then forge valid JWTs for any user including administrators. No public exploit confirmed at time of analysis, though detailed attack methodology is disclosed. CVSS 8.1 (High) reflects network-accessible privilege escalation despite high attack complexity requiring cryptographic brute-forcing.

Privilege Escalation OpenSSL
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-34450 PyPI MEDIUM PATCH GHSA This Month

Anthropic Python SDK versions 0.86.0 to before 0.87.0 create memory files with overly permissive file permissions (0o666), allowing local attackers to read persisted agent state or modify memory files to influence model behavior on shared hosts and Docker environments. The vulnerability affects both synchronous and asynchronous memory tool implementations and has been patched in version 0.87.0; no public exploit code or active exploitation has been identified at the time of analysis.

Python Privilege Escalation Docker
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-34406 CRITICAL PATCH Act Now

Privilege escalation in APTRS (Automated Penetration Testing Reporting System) prior to version 2.0.1 allows any user to escalate their own account or modify any other user account to superuser status by submitting a crafted POST request to /api/auth/edituser/<pk> with an is_superuser field set to true. The CustomUserSerializer fails to mark is_superuser as read-only despite including it in serializer fields, and the edit_user view lacks validation to prevent non-superusers from modifying this critical field. No public exploit code or active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit given basic HTTP client access to the endpoint.

Python Privilege Escalation
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-33074 MEDIUM PATCH This Month

Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-pre allow authenticated users to escalate their subscription tier by purchasing a lower-cost plan while obtaining benefits reserved for higher-tier subscriptions. The vulnerability has a CVSS 6.3 score reflecting the integrity impact, requires high attack complexity and partial timing conditions, but affects confidentiality minimally. Vendor-released patches address the flaw in versions 2026.1.3, 2026.2.2, and 2026.3.0, and the exploit likely requires knowledge of the subscription grant mechanism.

Privilege Escalation Discourse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-2123 HIGH This Week

Privilege escalation in OpenText Operations Agent versions 12.29 and earlier on Windows allows local attackers to execute arbitrary code by placing malicious executables in specific writeable directories, which the agent subsequently executes with elevated privileges. The vulnerability requires local access and specific conditions to be present but does not require prior authentication to the agent itself. No public exploit code has been identified, and there is no confirmation of active exploitation at time of analysis.

Microsoft Privilege Escalation
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-22561 MEDIUM PATCH This Month

DLL search-order hijacking in Anthropic Claude for Windows installer (Claude Setup.exe) versions before 1.1.3363 enables local privilege escalation to system context. An attacker with low privileges and physical or local access can plant a malicious DLL (such as profapi.dll) in the installer directory; when an elevated user runs the installer, the uncontrolled search path causes the malicious DLL to be loaded and executed with system privileges, achieving arbitrary code execution. No public exploit code or active exploitation has been confirmed at the time of analysis.

Privilege Escalation RCE Microsoft
NVD
CVSS 4.0
4.7
EPSS
0.0%
CVE-2026-34218 MEDIUM PATCH This Month

ClearanceKit on macOS fails to enforce managed and user-defined file-access policies during startup, allowing local processes to bypass intended access controls until GUI interaction triggers policy reloading. The vulnerability affects ClearanceKit versions prior to 4.2.14, where two startup defects create a window in which only a hardcoded baseline rule is enforced, leaving the system vulnerable to privilege escalation and unauthorized file access. This issue is not confirmed actively exploited, but the trivial attack vector (local, no authentication) and high integrity/system impact make it a meaningful risk for systems relying on ClearanceKit for file-access enforcement.

Apple Privilege Escalation
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-0596 PyPI HIGH PATCH GHSA This Week

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.

Command Injection Privilege Escalation Mlflow Mlflow
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-33579 npm CRITICAL POC PATCH GHSA Act Now

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access by exploiting missing scope validation in the device pairing approval workflow. The /pair approve command fails to forward caller scopes during approval checks, enabling attackers with basic pairing privileges-or potentially no privileges given the CVSS PR:N vector-to approve device requests with elevated admin scopes. EPSS data not available; no public exploit identified at time of analysis, though the CVSS 9.8 reflects trivial exploitation due to network accessibility, low complexity, and no authentication barrier. Vendor-released patch: commit e403dec (2026.3.28+).

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-29870 HIGH This Week

Directory traversal in agentic-context-engine up to version 0.7.1 enables arbitrary file writes through the checkpoint_dir parameter in OfflineACE.run, exploiting inadequate path normalization in the save_to_file method. Unauthenticated attackers can overwrite arbitrary files within the application process's permissions scope, potentially achieving code execution, privilege escalation, or application compromise depending on deployment context and file system layout.

Path Traversal Privilege Escalation RCE
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-5130 HIGH This Week

Unauthenticated privilege escalation in Debugger & Troubleshooter WordPress plugin (versions ≤1.3.2) allows remote attackers to gain administrator access by manipulating a cookie value. Attackers can set the wp_debug_troubleshoot_simulate_user cookie to any user ID without cryptographic validation, bypassing all authentication and authorization checks to immediately impersonate administrators. No public exploit code confirmed at time of analysis, though the attack mechanism is straightforward requiring only cookie manipulation. CVSS 8.8 with network-based attack vector and low complexity indicates significant real-world risk for unpatched installations. Vendor-released patch in version 1.4.0 implements cryptographic token validation.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33641 PyPI HIGH POC PATCH GHSA This Week

Command injection in Glances Python monitoring tool allows local authenticated users to execute arbitrary system commands via malicious configuration files. Attackers with write access to Glances configuration files can embed shell commands in backtick-enclosed strings that execute automatically during config parsing with the privileges of the Glances process. In environments where Glances runs as a system service with elevated privileges, this enables privilege escalation from low-privileged user to root. CVSS 7.8 (High) with local attack vector requiring low privileges. Public exploit code exists in the advisory. EPSS data not available, not listed in CISA KEV.

Python Command Injection Privilege Escalation Suse
NVD GitHub VulDB Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27599 PHP MEDIUM PATCH GHSA This Month

Stored DOM-based cross-site scripting (XSS) in CI4 CMS-ERP Mail Settings allows authenticated administrators to inject arbitrary JavaScript via unsanitized configuration fields (Mail Server, Port, Email Address, Password, Protocol, TLS settings), with payloads executing immediately on the same settings page upon save. Attack requires high-privilege access (PR:H) but enables full account takeover and platform compromise. Publicly available proof-of-concept video demonstrates attribute breakout technique.

XSS PHP Privilege Escalation CSRF
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-4416 HIGH PATCH This Week

Insecure deserialization in Gigabyte Control Center's Performance Library component allows authenticated local users to escalate privileges to SYSTEM by sending crafted serialized payloads to the EasyTune Engine service. Affecting Gigabyte Performance Library across versions, this CWE-502 flaw enables low-privileged users to gain complete control of the Windows system. EPSS data not available; no public exploit identified at time of analysis, though the local attack vector and low complexity (CVSS:3.1/AV:L/AC:L/PR:L) suggest exploitation is technically straightforward for attackers with initial local access.

Deserialization Privilege Escalation Performance Library
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-4415 CRITICAL NEWS Act Now

Remote code execution and privilege escalation in Gigabyte Control Center allows unauthenticated network attackers to write arbitrary files to any system location when the pairing feature is enabled. This path traversal vulnerability (CWE-23) requires high attack complexity but needs no user interaction. No public exploit identified at time of analysis, though the technical details disclosed by Taiwan CERT provide sufficient information for exploitation development. CVSS 8.1 (High) reflects significant impact across confidentiality, integrity, and availability.

RCE Privilege Escalation Gigabyte Control Center
NVD VulDB
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-32987 npm CRITICAL PATCH Act Now

Bootstrap setup code replay in OpenClaw before 2026.3.13 enables unauthenticated remote attackers to escalate privileges to operator.admin during device pairing. The vulnerability (CWE-294: Capture-replay) in src/infra/device-bootstrap.ts permits multiple verification attempts of valid bootstrap codes before approval, allowing escalation of pending pairing scopes. CVSS 9.3 (Critical) reflects network-accessible attack with low complexity and no user interaction required. EPSS data unavailable; no public exploit identified at time of analysis. Vendor-released patch available via GitHub commit 1803d16d.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Samsung MagicINFO 9 Server versions prior to 21.1091.1 enables authenticated low-privileged users to escalate to high privileges through incorrect default file/directory permissions. Attackers with local access can obtain complete system control, compromising confidentiality, integrity, and availability. Attack requires local access and low-level authentication but no user interaction. No public exploit identified at time of analysis.

Samsung Privilege Escalation
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Symbolic link manipulation in Juniper Networks Junos OS CLI enables authenticated local attackers with low privileges to escalate to root access. Exploitation requires two users: the first performs a 'file link ...' CLI operation, then after the second user commits unrelated configuration changes, the first user can authenticate as root, achieving full system compromise. Affects Junos OS versions across 23.2, 23.4, 24.2, 24.4, and 25.2 release trains prior to specified patch levels. No public exploit identified at time of analysis.

Privilege Escalation Juniper
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

OpenClaw before version 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that improperly uses a synthetic operator.admin runtime scope, allowing authenticated attackers to execute privileged operations with unintended administrative access by triggering session deletion without a request-scoped client. CVSS score of 6.1 reflects the requirement for low-level user authentication (PR:L) and network accessibility; patch availability is confirmed.

Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.3.22 enables authenticated attackers with operator.pairing approver role to escalate privileges to operator.admin through insufficient scope validation in the device.pair.approve method. Exploitation allows approval of device requests with broader operator scopes than the approver legitimately holds, ultimately enabling remote code execution on Node infrastructure. Affects OpenClaw deployments where role-based access control enforces operator privilege hierarchies. No public exploit identified at time of analysis.

RCE Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in OpenClaw Control UI enables unauthenticated attackers to claim arbitrary privileged scopes without device identity verification. By exploiting the trusted-proxy mechanism's device-less allow path, attackers bypass authentication requirements and maintain elevated permissions across sessions. Affects OpenClaw versions prior to 2026.3.22. Attackers with low-privilege access can escalate to high-impact confidentiality and integrity compromise. No public exploit identified at time of analysis.

Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in OpenClaw (versions prior to 2026.3.25) enables authenticated local attackers to silently elevate permissions from operator.read to operator.admin during shared-auth reconnection events, achieving remote code execution on affected nodes. The vulnerability exploits auto-approval of scope-upgrade requests in local reconnection flows, requiring low-privilege local access (PR:L) with no user interaction. No public exploit identified at time of analysis. Vendor-released patch available via commit 81ebc7e0344fd19c85778e883bad45e2da972229.

RCE Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.

Privilege Escalation Juniper Python
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Aiven Operator versions 0.31.0 through 0.36.x allow developers with ClickhouseUser CRD creation permissions in their own namespace to exfiltrate secrets from arbitrary namespaces by exploiting a confused deputy vulnerability in the operator's ClusterRole. An attacker can craft a malicious ClickhouseUser resource that causes the operator to read privileged credentials (database passwords, API keys, service tokens) from production namespaces and write them into the attacker's namespace with a single kubectl apply command. The vulnerability is fixed in version 0.37.0.

Kubernetes Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in libcap's cap_set_file() function affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4, where a TOCTOU race condition allows an unprivileged user with write access to a parent directory to redirect file capability updates onto an attacker-controlled file. Successful exploitation can inject or strip Linux file capabilities on arbitrary executables, yielding full privilege escalation on the host. No public exploit identified at time of analysis and EPSS is 0.01%, but a vendor patch is available.

Privilege Escalation Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +4
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. The vulnerability stems from missing Type field validation in doCertificateUpdate function when processing PUT/PATCH requests to the certificates API endpoint. Attack scope is changed (S:C), allowing attackers to break containment and achieve full cluster compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.

Canonical Privilege Escalation
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in Canonical LXD 4.12-6.7 allows authenticated remote attackers with VM instance editing rights to bypass project restrictions via incomplete denylist validation. Attackers inject AppArmor rules and QEMU chardev configurations through unblocked raw.apparmor and raw.qemu.conf keys, bridging the LXD Unix socket into guest VMs. Successful exploitation enables escalation to LXD cluster administrator and subsequently to host root access. No public exploit identified at time of analysis. Authenticated remote exploitation (PR:H) with cross-scope impact on confidentiality, integrity, and availability.

Canonical Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

PowerStrip driver (pstrip64.sys) through version 3.90.736 enables authenticated local users to escalate privileges to SYSTEM by sending malicious IOCTL requests that map arbitrary physical memory into user-mode address space, allowing modification of kernel structures. EPSS score of 0.02% (5th percentile) indicates low automated exploitation likelihood, though publicly available exploit code exists (PacketStorm Security reference), making this a realistic threat in environments where PowerStrip is deployed and local access is possible. No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Privilege Escalation N A
NVD
EPSS 0% CVSS 8.8
HIGH This Week

DLL injection in GatewayGeo MapServer for Windows version 5 enables authenticated local attackers to escalate privileges to SYSTEM level through crafted executable placement. The vulnerability exploits insecure library loading paths, allowing low-privileged users to inject malicious DLLs that execute with elevated permissions. Publicly available exploit code exists. Affects Windows deployments only; CVSS 8.8 reflects local attack vector requiring low privileges but achieving full system compromise across security boundaries.

Privilege Escalation Microsoft
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores via client-side manipulation using browser developer tools before submission. This vulnerability compromises the integrity of quiz results and academic reliability without enabling privilege escalation, unauthorized account access, or exposure of confidential information. The fix is available in version 2.46.0, and no public exploit code or active exploitation has been identified at the time of analysis.

Privilege Escalation Authentication Bypass Lms
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM This Month

Use of a default cryptographic key in Intel Pentium Processor Silver Series, Celeron Processor J Series, and Celeron Processor N Series hardware allows privilege escalation when a hardware reverse engineer with privileged user access performs a high-complexity physical attack with special internal knowledge. The vulnerability has a CVSS score of 5.8 with physical attack vector (AV:P) and high attack complexity (AC:H), requiring privileged access (PR:H) and special attack time requirements (AT:P). No public exploit code or active CISA KEV designation has been identified.

Intel Privilege Escalation Red Hat
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation to root in Fleet Orbit agent (macOS) allows authenticated local users to inject arbitrary Tcl commands via malformed FileVault password input. The vulnerability stems from unsafe interpolation of user-supplied passwords into expect scripts executed as root. CVSS 7.8 (High) with EPSS data unavailable; no public exploit identified at time of analysis, though exploitation requires only a specially crafted password containing closing brace characters. Impacts organizations using Fleet's macOS disk encryption management.

Command Injection Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Authenticated Kibana users with Fleet management privileges can read Elasticsearch index data beyond their intended RBAC permissions through debug route handlers in the Fleet plugin. This scope bypass affects Elastic Kibana deployments where users hold Fleet sub-feature privileges (agent policies, settings management). The vulnerability requires low-privilege authentication (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), enabling cross-scope data confidentiality breach (S:C/C:H). No public exploit identified at time of analysis. EPSS data not available, but the specific privilege escalation vector and remote exploitability warrant prioritization in Kibana Fleet deployments.

Privilege Escalation Elastic
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated access to kcp root shard cache server exposes cluster topology, RBAC policies, and API configurations to network-reachable attackers. The cache server at /services/cache/* bypasses authentication and authorization middleware, allowing any attacker with network access to the root shard (CVSS:3.1/AV:N/AC:L/PR:N) to read replicated resources including ClusterRoles, LogicalClusters, Shards, APIExports, and admission control policies. A secondary race condition permits temporary privi

Authentication Bypass Privilege Escalation
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Red Hat Process Automation Manager container images allow local privilege escalation when the /etc/passwd file is created with group-writable permissions during the build process. An attacker with non-root command execution capability who is a member of the root group can modify /etc/passwd to create a new user with UID 0, gaining full root privileges within the container. This requires high privileges (membership in root group) and challenging conditions (AC:H), but affects all versions of Red Hat Process Automation 7 distributed as container images. No public exploit code has been identified at the time of analysis.

Red Hat Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Container privilege escalation in Red Hat Web Terminal allows local attackers with group membership to modify the /etc/passwd file and create arbitrary user accounts including root. The vulnerability stems from overly permissive group-writable permissions on /etc/passwd during image build, enabling privilege escalation from non-root container users to full root access within the container. Red Hat Web Terminal across multiple versions is affected; no public exploit code or active exploitation has been reported at the time of analysis.

Privilege Escalation Red Hat Web Terminal
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Privilege escalation in OpenShift Update Service (OSUS) container images allows local attackers with high privileges to gain root access by modifying the group-writable /etc/passwd file created during build time. An attacker executing commands within an affected container can leverage root group membership to inject a new user with UID 0, achieving full container root privileges. No public exploit code or active exploitation has been identified at the time of analysis.

Privilege Escalation Red Hat Openshift Update Service
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Container privilege escalation in Red Hat Multicluster Engine for Kubernetes allows authenticated local attackers to escalate from non-root container execution to full root privileges by exploiting group-writable permissions on the /etc/passwd file created during container image build time, enabling arbitrary UID assignment including UID 0.

Privilege Escalation Kubernetes
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Container privilege escalation in Red Hat Ansible Automation Platform 2 allows non-root users within affected container images to gain root privileges by modifying the group-writable /etc/passwd file. During the container build process, /etc/passwd is created with overly permissive group-write permissions, enabling any user in the root group to add arbitrary entries including a UID 0 account. This vulnerability requires local container execution access and elevated group membership, but results in complete container compromise when exploited.

Privilege Escalation Red Hat Ansible Automation Platform 2
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.

Privilege Escalation Eclipse Jetty
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Moxa MxGeneralIo utility versions prior to 1.4.0/1.5.0 expose IOCTL interfaces allowing authenticated high-privilege local attackers to directly access Model-Specific Registers (MSR) and system memory, enabling privilege escalation on Windows 7 or denial-of-service crashes (BSoD) on Windows 10/11. While CVSS 7.0 reflects high availability impact and network attack vector classification, the actual exploit requires local high-privilege access (PR:H), significantly reducing practical risk. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept has been identified at time of analysis, though vendor advisory confirms patch availability.

Microsoft Privilege Escalation
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress Privilege Escalation Authentication Bypass +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary user metadata modification in Users Manager - PN plugin for WordPress (versions ≤1.1.15) allows unaneticated remote attackers to escalate privileges and hijack accounts. The vulnerability stems from flawed authorization logic in userspn_ajax_nopriv_server() that fails to verify authentication when user_id is supplied, combined with publicly exposed nonce values. Attackers can modify critical user metadata including userspn_secret_token for any WordPress user. CVSS 9.8 (Critical). EPSS data not available. No public exploit identified at time of analysis, but exploitation requires only HTTP requests with predictable parameters.

WordPress Privilege Escalation Authentication Bypass
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Local privilege escalation to root in IBM Verify/Security Verify Access products 10.0-11.0.2 allows unauthenticated local users to gain full system control via excessive process privileges (CWE-250). The CVSS 9.3 score reflects local attack vector but no authentication requirement (PR:N) and complete system compromise with scope change. Patch available per vendor advisory. No public exploit identified at time of analysis, though the local attack vector and low complexity (AC:L) suggest straightforward exploitation once local access is obtained.

IBM Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored XSS in ChurchCRM Note Editor enables authenticated users to execute arbitrary JavaScript in victims' browsers, leading to session hijacking and privilege escalation against administrators managing sensitive church member data. Affects ChurchCRM versions prior to 6.5.3. CVSS 7.3 (High) reflects network-accessible attack requiring low-privilege authentication and user interaction. EPSS and KEV data not provided; no public exploit identified at time of analysis. Vendor patch released in version 6.5.3.

XSS Privilege Escalation Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execution. Operators can bypass documented role restrictions via unprotected backend API endpoints to create/modify scripts, flows, and apps, then execute arbitrary code through the jobs API. Public exploit code exists (GitHub: Chocapikk/Windfall). EPSS data unavailable, but the low attack complexity (AC:L), network access vector (AV:N), and availability of weaponized POC indicate elevated real-world risk for self-hosted Windmill deployments with Operator-level users.

Privilege Escalation RCE Authentication Bypass +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Apache Cassandra 5.0 through 5.0.6 in mTLS environments using MutualTlsAuthenticator allows authenticated users with only CREATE permission to escalate privileges to superuser via certificate identity manipulation through the ADD IDENTITY command. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with SSVC indicating non-automatable exploitation but total technical impact. Apache released patch version 5.0.7+ addressing this privilege escalation flaw (CWE-267: Privilege Defined With Unsafe Actions).

Privilege Escalation Apache
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. This affects File Browser instances using proxy authentication for automatic user provisioning. No public exploit identified at time of analysis, though EPSS probability warrants attention given the network-accessible attack surface and high confidentiality/integrity impact.

Privilege Escalation Filebrowser
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.

Privilege Escalation Red Hat Kubernetes +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Improper privilege management in runZero Platform allows organization administrators to escalate privileges to superuser status. Authenticated admin users with high privileges (PR:H) can exploit this network-accessible flaw (AV:N) with user interaction (UI:R) to gain unauthorized superuser access, potentially compromising confidentiality and integrity across organizational boundaries (scope changed to C). Fixed in version 4.0.260202.0. EPSS risk data not available; no public exploit identified at time of analysis.

Privilege Escalation Platform
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site context files processed by the root-executed 'omd' administrative command. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and 2.5.0 beta before b3. No public exploit identified at time of analysis. CVSS 9.3 reflects total technical impact, but SSVC assessment indicates non-automatable exploitation requiring existing high-privilege access, tempering the real-world urgency for organizations with strict site user access controls.

Privilege Escalation Checkmk
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack s

Buffer Overflow Privilege Escalation Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment connects to an attacker-controlled rogue cellular base station. Affects 57 MediaTek chipset models across MT67xx, MT68xx, MT69xx, MT87xx, and MT27xx families used in mobile devices. Authentication not required (CVSS PR:N) but requires adjacent network access and user interaction to connect to malicious base station. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though vendor patch MOLY01406170 has been released per April 2026 MediaTek security bulletin.

Buffer Overflow Privilege Escalation Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in AWS Research and Engineering Studio (RES) versions prior to 2026.03 allows authenticated remote attackers to assume virtual desktop host instance profile permissions and interact with AWS resources via crafted API requests. The vulnerability stems from unsanitized user-modifiable attributes in session creation. CVSS 8.7 (High) with network attack vector, low complexity, and requiring low privileges. Vendor-released patch available (version 2026.03). EPSS data not provided; no public exploit identified at time of analysis.

Privilege Escalation Research And Engineering Studio Res
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE Authentication Bypass +1
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.

Privilege Escalation RCE Pi Hole
NVD GitHub
EPSS 0% CVSS 8.5
HIGH POC This Week

sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Sheed Antivirus
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Hotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attackers to escalate privileges by injecting malicious executables. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Hotspot Shield
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

IObit Malware Fighter 4.3.1 contains an unquoted service path vulnerability in the IMFservice and LiveUpdateSvc services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Iobit Malware Fighter
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Netgate AMITI Antivirus build 23.0.305 contains an unquoted service path vulnerability in the AmitiAvSrv and AmitiAntivirusHealth services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Netgate Amiti Antivirus
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

NETGATE Registry Cleaner build 16.0.205 contains an unquoted service path vulnerability in the NGRegClnSrv service that allows local attackers to escalate privileges by exploiting the service binary. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Netgate Registry Cleaner
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Spy Emergency
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

IObit Advanced SystemCare 10.0.2 contains an unquoted service path vulnerability in the AdvancedSystemCareService10 service that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Iobit Advanced Systemcare
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in pyLoad download manager allows authenticated non-admin users with SETTINGS permission to execute arbitrary system commands via the AntiVirus plugin configuration. The vulnerability stems from incomplete enforcement of admin-only security controls: while core configuration options like reconnect scripts and SSL certificates require admin privileges, plugin configuration lacks this protection. Attackers can modify the AntiVirus plugin's executable path (avfile) parameter, which is directly passed to subprocess.Popen() without validation, achieving command execution when file downloads complete. CVSS 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in the GitHub security advisory.

Python RCE Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Privilege Escalation Authentication Bypass File Upload
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM This Month

AIRBUS TETRA Connectivity Server 7.0 on Windows Server allows privilege escalation to SYSTEM via incorrect default directory permissions (CWE-276), enabling local authenticated attackers to execute arbitrary code by placing a crafted file in a vulnerable directory with user interaction. The vulnerability affects TETRA Connectivity Server version 7.0, with patches available for versions 8.0 and 9.0. No public exploit code or active exploitation in the wild has been identified at time of analysis.

Privilege Escalation RCE Microsoft
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Cache key collisions in fast-jwt's custom cacheKeyBuilder implementations enable token confusion attacks, allowing remote attackers to impersonate users and escalate privileges without authentication. The vulnerability affects Node.js applications using fast-jwt with both caching enabled AND custom cache key builder functions that generate non-unique keys. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation likelihood is high given the network-accessible attack vector (AV:N) and low complexity (AC:L). Applications using default caching behavior are NOT affected.

Privilege Escalation
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Stored cross-site scripting (XSS) in ci4-cms-erp/ci4ms profile management enables privilege escalation to full administrative compromise. Attackers inject malicious JavaScript payloads through unsanitized profile name fields, which execute persistently across multiple application interfaces including administrative user management pages and public-facing blog views. When administrators access affected pages, the stored payload executes in their browser context, enabling session hijacking and complete account takeover. Vendor patch available per GitHub security advisory. This represents a critical privilege escalation vector requiring immediate remediation in any deployment with multiple user roles.

Privilege Escalation XSS
NVD GitHub
EPSS 0% 5.1 CVSS 7.8
HIGH POC PATCH Act Now

Local privilege escalation in Sudo through 1.9.17p2 (fixed in commit 3e474c2) arises because a failed setuid, setgid, or setgroups call during the privilege drop that precedes invoking the mailer is treated as non-fatal, allowing the mailer to run with retained elevated privileges. Local users on systems where Sudo is configured to send mail can leverage this to gain root, with total technical impact per CISA SSVC. EPSS is 0.00% and there is no public exploit identified at time of analysis, consistent with SSVC marking exploitation as none.

Privilege Escalation Sudo
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH This Week

HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Hirschmann Industrial Hivision
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Hirschmann Hisecos Eagle
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

A permissions issue was addressed with additional restrictions. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

RCE Apple Privilege Escalation
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Mbed TLS versions 2.19.0 through 3.6.5 and 4.0.0 allow remote code execution through memory corruption when attackers modify serialized SSL context or session structures. The vulnerability stems from insufficient validation of deserialized data, enabling arbitrary code execution on systems using affected versions. CISA KEV status and active exploitation data not confirmed in provided intelligence.

RCE Privilege Escalation Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Local privilege escalation in Acronis True Image for Windows before build 42902 allows authenticated users with low privileges to escalate to higher privileges through insecure folder permissions. An attacker with local access and user-level privileges can exploit improper permission settings on critical directories to achieve full system compromise, requiring user interaction (file execution or folder navigation). This vulnerability has a CVSS score of 6.7 reflecting high confidentiality, integrity, and availability impact despite the elevated barriers to exploitation.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Local privilege escalation in Acronis True Image (Windows) before build 42902 allows authenticated users with low privileges to gain high-integrity access through DLL hijacking. An attacker with local user access can exploit unsafe DLL loading to execute arbitrary code with elevated permissions, requiring user interaction (e.g., triggering a specific application action). No public exploit code or active exploitation has been confirmed at the time of analysis.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Local privilege escalation in Acronis True Image for Windows before build 42902 exploits DLL hijacking to allow authenticated users to escalate privileges. An attacker with local access and valid credentials can manipulate DLL load paths during application execution, requiring user interaction (such as opening a file or launching a feature), to gain elevated system privileges. This vulnerability has a CVSS score of 6.7 and affects all versions prior to the patched build.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Unauthenticated privilege escalation in SignalK Server (versions prior to 2.24.0-beta.4) allows remote attackers to inject administrator roles via the /enableSecurity endpoint, granting full administrative control without credentials. Attackers can modify vessel routing data, alter server configurations, and access all restricted endpoints. No public exploit identified at time of analysis, but the critical CVSS 9.4 score reflects the trivial exploit complexity (AV:N/AC:L/PR:N) and high confidentiality/integrity impact to marine vessel control systems.

Privilege Escalation Authentication Bypass Signalk Server
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level access tokens. The SingleUseObjectProvider's lack of type and namespace isolation permits attackers to forge valid authorization codes remotely, though exploitation requires high complexity (AC:H). No public exploit identified at time of analysis, with CVSS 7.4 indicating high confidentiality and integrity impact but no availability disruption.

Privilege Escalation Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Local privilege escalation in HCL BigFix Platform on Windows allows authenticated users with low privileges to access cryptographic private keys due to overly permissive file system permissions, potentially enabling complete system compromise with cross-scope impact. Authentication required (PR:L). No public exploit identified at time of analysis, though the attack is rated low complexity and fully automated. CVSS 8.8 severity driven by scope change and complete confidentiality/integrity/availability impact.

Microsoft Privilege Escalation
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Percona PMM (Percona Monitoring and Management) versions prior to 3.7 allow authenticated users with pmm-admin privileges to execute arbitrary operating system commands by exploiting excessive database superuser privileges through the 'Add data source' feature. This privilege escalation vulnerability enables container/system breakout from database context to shell access. EPSS score is low (0.04%, 13th percentile) indicating minimal observed exploitation activity, and CISA SSVC assessment confirms no active exploitation with non-automatable attack characteristics, though technical impact is rated total.

Privilege Escalation
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like &#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58; (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.

PHP XSS Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profile

Path Traversal RCE Privilege Escalation +2
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Stored cross-site scripting in CI4MS backend user management allows authenticated attackers with low-level privileges to inject malicious JavaScript that executes automatically when administrators access affected pages, enabling session hijacking and full administrative account takeover. The vulnerability affects all versions prior to 0.31.0.0 with a critical CVSS score of 9.9 due to scope change and high impact across confidentiality, integrity, and availability. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, though the technical barrier is low (AC:L, PR:L).

XSS Privilege Escalation Ci4ms
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Local privilege escalation in Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 allows authenticated users to assume privileged group membership when their Azure Entra ID-mapped CN or short name collides with system group names (sudo, wheel, docker, adm, etc.). The NSS module resolves the collision to the attacker's fake primary group, potentially granting group-level privileges if the system uses NSS for authorization decisions. CVSS 6.3 (medium); no public exploit identified at time of analysis.

Microsoft Privilege Escalation Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Local privilege escalation to SYSTEM via race condition in Lakeside SysTrack Agent 11 (versions prior to 11.2.1.28) allows unauthenticated local attackers to gain complete system control through timing-dependent exploitation. EPSS risk assessment and KEV status not available at time of analysis; no public exploit identified at time of analysis. Attack complexity is rated high, requiring precise timing manipulation of concurrent operations.

Privilege Escalation Race Condition Systrack Agent
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

DLL search path hijacking in Foxit PDF Editor and Foxit PDF Reader update services enables local privilege escalation to SYSTEM. Low-privileged authenticated users can plant malicious libraries in writable directories that are resolved during update checks, achieving arbitrary code execution with elevated privileges. CVSS 7.8 (High) with low attack complexity. No public exploit identified at time of analysis, EPSS data not provided.

Privilege Escalation RCE Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Installer privilege escalation in Foxit PDF Reader and Foxit PDF Editor allows local authenticated users to execute arbitrary code with elevated system privileges via DLL search path manipulation. The installer's failure to use absolute paths for system executables enables attackers to plant malicious DLLs in user-writable directories that take precedence during installation, exploiting the trusted installer's elevated permissions. EPSS data not available; no public exploit identified at time of analysis; not listed in CISA KEV.

Privilege Escalation Foxit Pdf Reader Foxit Pdf Editor
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.

Privilege Escalation Node.js
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored XSS in File Browser's EPUB preview function (versions ≤v2.62.1) allows authenticated attackers to steal JWT tokens and escalate privileges by uploading malicious EPUB files. The vulnerability arises from passing allowScriptedContent:true to the epub.js library combined with an ineffective iframe sandbox (allow-scripts + allow-same-origin), enabling JavaScript in crafted EPUBs to access parent frame localStorage. CVSS 7.6 (AV:N/AC:L/PR:L/UI:R/S:C). No public exploit identified at time of analysis beyond the detailed PoC in the advisory. EPSS data not available. Vendor-released patch available per GitHub advisory. Low-privilege users with file upload permissions can weaponize this to compromise administrator sessions.

XSS Privilege Escalation Python +2
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Server-Side Request Forgery (SSRF) in FastMCP's OpenAPIProvider allows authenticated attackers to access arbitrary backend endpoints through path traversal injection in OpenAPI path parameters. The vulnerability arises from improper URL encoding in the RequestDirector._build_url() method, enabling attackers to escape intended API prefixes using '../' sequences and reach internal administrative or sensitive endpoints while inheriting the MCP provider's authentication context. This affects the fastmcp Python package and enables privilege escalation beyond the OpenAPI specification's intended API surface. No public exploit identified at time of analysis, though detailed proof-of-concept code exists in the GitHub advisory demonstrating traversal to /admin endpoints.

SSRF Path Traversal Authentication Bypass +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Weak pseudo-random number generation in Cloudreve enables JWT forgery and complete account takeover on instances initialized before v4.10.0. Attackers can brute-force the PRNG seed (achievable in under 3 hours on consumer hardware) by obtaining administrator creation timestamps via public APIs and validating against known hashids, then forge valid JWTs for any user including administrators. No public exploit confirmed at time of analysis, though detailed attack methodology is disclosed. CVSS 8.1 (High) reflects network-accessible privilege escalation despite high attack complexity requiring cryptographic brute-forcing.

Privilege Escalation OpenSSL
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Anthropic Python SDK versions 0.86.0 to before 0.87.0 create memory files with overly permissive file permissions (0o666), allowing local attackers to read persisted agent state or modify memory files to influence model behavior on shared hosts and Docker environments. The vulnerability affects both synchronous and asynchronous memory tool implementations and has been patched in version 0.87.0; no public exploit code or active exploitation has been identified at the time of analysis.

Python Privilege Escalation Docker
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Privilege escalation in APTRS (Automated Penetration Testing Reporting System) prior to version 2.0.1 allows any user to escalate their own account or modify any other user account to superuser status by submitting a crafted POST request to /api/auth/edituser/<pk> with an is_superuser field set to true. The CustomUserSerializer fails to mark is_superuser as read-only despite including it in serializer fields, and the edit_user view lacks validation to prevent non-superusers from modifying this critical field. No public exploit code or active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit given basic HTTP client access to the endpoint.

Python Privilege Escalation
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-pre allow authenticated users to escalate their subscription tier by purchasing a lower-cost plan while obtaining benefits reserved for higher-tier subscriptions. The vulnerability has a CVSS 6.3 score reflecting the integrity impact, requires high attack complexity and partial timing conditions, but affects confidentiality minimally. Vendor-released patches address the flaw in versions 2026.1.3, 2026.2.2, and 2026.3.0, and the exploit likely requires knowledge of the subscription grant mechanism.

Privilege Escalation Discourse
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Privilege escalation in OpenText Operations Agent versions 12.29 and earlier on Windows allows local attackers to execute arbitrary code by placing malicious executables in specific writeable directories, which the agent subsequently executes with elevated privileges. The vulnerability requires local access and specific conditions to be present but does not require prior authentication to the agent itself. No public exploit code has been identified, and there is no confirmation of active exploitation at time of analysis.

Microsoft Privilege Escalation
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

DLL search-order hijacking in Anthropic Claude for Windows installer (Claude Setup.exe) versions before 1.1.3363 enables local privilege escalation to system context. An attacker with low privileges and physical or local access can plant a malicious DLL (such as profapi.dll) in the installer directory; when an elevated user runs the installer, the uncontrolled search path causes the malicious DLL to be loaded and executed with system privileges, achieving arbitrary code execution. No public exploit code or active exploitation has been confirmed at the time of analysis.

Privilege Escalation RCE Microsoft
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

ClearanceKit on macOS fails to enforce managed and user-defined file-access policies during startup, allowing local processes to bypass intended access controls until GUI interaction triggers policy reloading. The vulnerability affects ClearanceKit versions prior to 4.2.14, where two startup defects create a window in which only a hardcoded baseline rule is enforced, leaving the system vulnerable to privilege escalation and unauthorized file access. This issue is not confirmed actively exploited, but the trivial attack vector (local, no authentication) and high integrity/system impact make it a meaningful risk for systems relying on ClearanceKit for file-access enforcement.

Apple Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.

Command Injection Privilege Escalation Mlflow Mlflow
NVD
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access by exploiting missing scope validation in the device pairing approval workflow. The /pair approve command fails to forward caller scopes during approval checks, enabling attackers with basic pairing privileges-or potentially no privileges given the CVSS PR:N vector-to approve device requests with elevated admin scopes. EPSS data not available; no public exploit identified at time of analysis, though the CVSS 9.8 reflects trivial exploitation due to network accessibility, low complexity, and no authentication barrier. Vendor-released patch: commit e403dec (2026.3.28+).

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Directory traversal in agentic-context-engine up to version 0.7.1 enables arbitrary file writes through the checkpoint_dir parameter in OfflineACE.run, exploiting inadequate path normalization in the save_to_file method. Unauthenticated attackers can overwrite arbitrary files within the application process's permissions scope, potentially achieving code execution, privilege escalation, or application compromise depending on deployment context and file system layout.

Path Traversal Privilege Escalation RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated privilege escalation in Debugger & Troubleshooter WordPress plugin (versions ≤1.3.2) allows remote attackers to gain administrator access by manipulating a cookie value. Attackers can set the wp_debug_troubleshoot_simulate_user cookie to any user ID without cryptographic validation, bypassing all authentication and authorization checks to immediately impersonate administrators. No public exploit code confirmed at time of analysis, though the attack mechanism is straightforward requiring only cookie manipulation. CVSS 8.8 with network-based attack vector and low complexity indicates significant real-world risk for unpatched installations. Vendor-released patch in version 1.4.0 implements cryptographic token validation.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Command injection in Glances Python monitoring tool allows local authenticated users to execute arbitrary system commands via malicious configuration files. Attackers with write access to Glances configuration files can embed shell commands in backtick-enclosed strings that execute automatically during config parsing with the privileges of the Glances process. In environments where Glances runs as a system service with elevated privileges, this enables privilege escalation from low-privileged user to root. CVSS 7.8 (High) with local attack vector requiring low privileges. Public exploit code exists in the advisory. EPSS data not available, not listed in CISA KEV.

Python Command Injection Privilege Escalation +1
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Stored DOM-based cross-site scripting (XSS) in CI4 CMS-ERP Mail Settings allows authenticated administrators to inject arbitrary JavaScript via unsanitized configuration fields (Mail Server, Port, Email Address, Password, Protocol, TLS settings), with payloads executing immediately on the same settings page upon save. Attack requires high-privilege access (PR:H) but enables full account takeover and platform compromise. Publicly available proof-of-concept video demonstrates attribute breakout technique.

XSS PHP Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Insecure deserialization in Gigabyte Control Center's Performance Library component allows authenticated local users to escalate privileges to SYSTEM by sending crafted serialized payloads to the EasyTune Engine service. Affecting Gigabyte Performance Library across versions, this CWE-502 flaw enables low-privileged users to gain complete control of the Windows system. EPSS data not available; no public exploit identified at time of analysis, though the local attack vector and low complexity (CVSS:3.1/AV:L/AC:L/PR:L) suggest exploitation is technically straightforward for attackers with initial local access.

Deserialization Privilege Escalation Performance Library
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL Act Now

Remote code execution and privilege escalation in Gigabyte Control Center allows unauthenticated network attackers to write arbitrary files to any system location when the pairing feature is enabled. This path traversal vulnerability (CWE-23) requires high attack complexity but needs no user interaction. No public exploit identified at time of analysis, though the technical details disclosed by Taiwan CERT provide sufficient information for exploitation development. CVSS 8.1 (High) reflects significant impact across confidentiality, integrity, and availability.

RCE Privilege Escalation Gigabyte Control Center
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Bootstrap setup code replay in OpenClaw before 2026.3.13 enables unauthenticated remote attackers to escalate privileges to operator.admin during device pairing. The vulnerability (CWE-294: Capture-replay) in src/infra/device-bootstrap.ts permits multiple verification attempts of valid bootstrap codes before approval, allowing escalation of pending pairing scopes. CVSS 9.3 (Critical) reflects network-accessible attack with low complexity and no user interaction required. EPSS data unavailable; no public exploit identified at time of analysis. Vendor-released patch available via GitHub commit 1803d16d.

Privilege Escalation Openclaw
NVD GitHub VulDB
Prev Page 11 of 148 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy