Privilege Escalation
Monthly
Privilege escalation in OpenClaw device token rotation (versions before 2026.3.11) enables authenticated attackers with operator.pairing scope to mint tokens with arbitrary elevated scopes, including operator.admin privileges. This scope validation bypass permits remote code execution on connected nodes via system.run API and unauthorized gateway-admin access. CVSS 9.4 (Critical) with network attack vector and low complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis, though technical details disclosed via GitHub security advisory increase exploitation risk.
Fleet server memory exhaustion via unbounded request bodies allows unauthenticated denial-of-service against multiple HTTP endpoints. The vulnerability affects Fleet v4 (github.com/fleetdm/fleet/v4) and was responsibly disclosed by @fuzzztf. Attackers can exhaust available memory and force server restarts by sending oversized or repeated HTTP requests to unauthenticated endpoints lacking size limits. No public exploit identified at time of analysis, though the attack mechanism is straightforward given the CWE-770 resource allocation vulnerability class.
Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation requests, allowing unauthenticated remote attackers to trigger excessive renegotiations that consume CPU resources and cause denial of service. The vulnerability affects the authentication daemon across all Wazuh Manager deployments running vulnerable versions, enabling attackers to render the authd service unavailable with no authentication required and minimal attack complexity.
Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation, enabling remote attackers to trigger denial of service by flooding the service with excessive renegotiation requests that exhaust CPU resources and render the authentication daemon unavailable. The vulnerability affects all Wazuh Manager installations up to and including version 4.7.3, requires no authentication or user interaction, and can be exploited over the network by any remote actor. No public exploit code or active exploitation has been confirmed at this time, though the straightforward nature of renegotiation-based DoS attacks and moderate CVSS score of 6.9 indicate practical exploitability.
Path traversal in Incus system container manager allows authenticated remote attackers to write arbitrary files as root on the host via malformed systemd credential configuration keys. Affecting all versions before 6.23.0, this enables both privilege escalation from container to host and denial of service through critical file overwrites. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis. The CVSS 9.9 Critical rating reflects the severe impact of container escape, though the PR:L requirement and lack of active exploitation temper immediate urgency.
Authentication bypass in Incus webui (versions prior to 6.23.0) permits local or remote attackers to gain unauthorized access to the system container and virtual machine manager via an improperly validated authentication token. The vulnerability allows attackers who can reach the temporary localhost web server to escalate privileges to the level of the user running 'incus webui', enabling control over containers, virtual machines, and potentially underlying system resources. CVSS score of 8.8 (High) reflects network attack vector with low complexity requiring user interaction; no public exploit identified at time of analysis.
Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.
Privilege escalation in ellanetworks/core allows NetworkManager role holders to replace the production SQLite database through an unvalidated restore endpoint, escalating to Admin privileges with full access to user management, audit logs, and system configuration. The NetworkManager role was improperly granted backup/restore permissions, and the restore function accepted arbitrary SQLite files without content validation. Vendor patch available in v1.7.0 (commit 1e47682). EPSS exploitation probability is low (0.03%, 8th percentile), and no active exploitation or public POC identified at time of analysis.
Improper case sensitivity handling in the Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 allows privilege escalation through authentication bypass mechanisms. Authenticated or remote attackers can exploit case-sensitivity weaknesses in identity claim validation to assume elevated permissions within Drupal systems relying on this module for federated authentication. The vulnerability affects all versions from 0.0.0 through 1.5.0, and vendor-released patch version 1.5.0 is available.
Keycloak allows authenticated administrators with manage-clients permission to escalate privileges to manage-permissions level, enabling unauthorized control over roles, users, and administrative functions within a realm. Red Hat Build of Keycloak, JBoss Enterprise Application Platform 8, and Red Hat Single Sign-On 7 are affected when admin permissions are enabled at the realm level. The vulnerability requires high-privilege authentication but carries medium CVSS severity (6.5) due to confidentiality and integrity impact without availability compromise.
Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that can compromise application integrity and confidentiality. Unauthenticated attackers can leverage this access control flaw to manipulate and exfiltrate data with user interaction required (CVSS 8.1, AV:N/AC:L/PR:N/UI:R). No public exploit has been identified at time of analysis, with CISA SSVC rating the technical impact as partial and exploitation status as none.
Vienna Assistant 1.2.542 on macOS allows local privilege escalation through an unauthenticated XPC service endpoint that accepts connections from any process. The vulnerable VSL privileged helper service exposes functions to write arbitrary files to any location and execute arbitrary binaries with any arguments, enabling a low-privileged local user to gain root access. A proof-of-concept exploit exists per SSVC assessment, with an EPSS score of 0.02% indicating low observed exploitation probability in the wild.
Mattermost versions 11.2.x through 11.2.2, 10.11.x through 10.11.10, 11.4.0, and 11.3.x through 11.3.1 fail to properly restrict team-level access during remote cluster membership synchronization, allowing a malicious remote cluster to grant users access to entire private teams rather than limiting access to only shared channels. An authenticated attacker controlling a federated remote cluster can send crafted membership sync messages to trigger unintended team membership assignment, resulting in unauthorized access to private team resources. The EPSS score of 0.03% (percentile 7%) indicates low real-world exploitation probability, and no public exploit code has been identified at time of analysis.
RATOC RAID Monitoring Manager for Windows contains an insecure directory permissions vulnerability when the installation folder is customized to a non-default location. The installer fails to properly set access control lists (ACLs) on custom installation directories, allowing non-administrative users to modify folder contents and execute arbitrary code with SYSTEM privileges. With a CVSS 4.0 score of 8.5, this represents a high-severity local privilege escalation vulnerability affecting Windows systems where this RAID management software is installed.
The Amelia Booking plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in versions up to and including 9.1.2 that allows authenticated attackers with customer-level permissions to bypass authorization controls and modify user passwords, including administrator accounts, potentially leading to complete site takeover. This vulnerability affects the pro version of the plugin available on CodeCanyon and carries a CVSS score of 8.8 (HIGH). No evidence of active exploitation (KEV) or public proof-of-concept is currently documented, but the vulnerability has been publicly disclosed by Wordfence.
The Masteriyo LMS plugin for WordPress contains a critical privilege escalation vulnerability that allows authenticated users with Student-level access or higher to elevate their privileges to administrator level. All versions up to and including 2.1.6 are affected. The vulnerability is exploitable over the network with low attack complexity and requires no user interaction, resulting in a critical CVSS score of 9.8, though the CVSS vector indicates no authentication required (PR:N) which conflicts with the description stating Student-level access is needed.
crun versions 1.19 through 1.26 misparse the `-u` (--user) option during container execution, causing a numeric UID value of 1 to be incorrectly interpreted as UID 0 (root) instead, resulting in privilege escalation where containerized processes execute with root privileges instead of the intended unprivileged user. The vulnerability affects the containers/crun OCI runtime container (cpe:2.3:a:containers:crun:*:*:*:*:*:*:*:*) and has been patched in version 1.27. No public exploit code or active exploitation has been identified, though the EPSS score of 0.01% (percentile 2%) indicates minimal real-world exploitation likelihood despite the privilege escalation tag.
Improper access control in OpenEMR versions prior to 8.0.0.3 allows any authenticated user to download and permanently delete electronic claim batch files containing protected health information (PHI) via the billing file-download endpoint, regardless of whether they have billing privileges. The vulnerability has a 7.6 CVSS score with low attack complexity and requires only low-level authentication. EPSS exploitation probability is 0.03% (8th percentile), indicating low observed targeting in real-world exploitation at time of analysis, and no public exploit has been identified.
OpenEMR versions prior to 8.0.0.3 allow authenticated API users to bypass administrative access controls on five insurance company management REST API endpoints due to missing authorization checks. An attacker with valid API credentials but non-administrative OpenEMR privileges can create, read, and modify insurance company records without proper permission validation. The vulnerability requires prior authentication and affects data integrity rather than confidentiality or availability; no public exploit code has been identified, and exploitation probability is very low (EPSS 0.02%).
Improper privilege management in Iperius Backup through version 8.7.3 allows local authenticated attackers to escalate privileges via manipulation of the Backup Job Configuration File Handler, with public exploit code available. The vulnerability requires local access and high attack complexity but grants full confidentiality and integrity impacts to affected systems. Upgrade to version 8.7.4 or later to remediate.
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 are vulnerable to privilege escalation due to improper access control (CWE-200: Information Exposure). A privileged user with existing authenticated access to the application server can exploit this vulnerability to gain additional unauthorized access to sensitive resources, potentially leading to information disclosure and integrity violations. While a CVSS score of 6.5 indicates moderate severity, the vulnerability requires high privileges to trigger (PR:H) and has no user interaction requirement, making it exploitable by insiders or compromised administrative accounts.
A stored cross-site scripting (XSS) vulnerability in n8n workflow automation platform allows authenticated users to craft malicious workflows that execute arbitrary JavaScript in the browsers of higher-privileged users. Affected versions are n8n prior to 1.123.27, 2.13.3, and 2.14.1 (identified via CPE cpe:2.3:a:n8n-io:n8n). An attacker with workflow creation/modification permissions can exploit the `/rest/binary-data` endpoint's failure to properly sanitize HTML responses, enabling credential theft, workflow manipulation, and privilege escalation to administrative access with full same-origin context.
A user-controlled key authorization bypass vulnerability in HYPR Server versions 9.5.2 through 10.7.1 enables authenticated attackers to escalate privileges through improper authorization checks. An attacker with low-level privileges can manipulate cryptographic keys or authorization tokens to gain high-level access, compromising confidentiality, integrity, and availability of the authentication system. This vulnerability requires local or physical access to the system and valid user credentials, limiting its immediate threat scope but representing a critical risk in multi-tenant or shared infrastructure deployments.
An incorrect privilege assignment vulnerability in HYPR Server allows authenticated users to escalate their privileges through an unspecified mechanism. HYPR Server versions 10.5.1 through 10.6.x are affected, with the vulnerability resolved in version 10.7 and later. An attacker with valid user credentials can exploit this flaw to gain elevated permissions, potentially compromising the entire authentication infrastructure managed by the HYPR Server instance.
An Incorrect Privilege Assignment vulnerability exists in WPFunnels Creator LMS plugin (versions up to and including 1.1.18) that allows authenticated or unauthenticated attackers to escalate their privileges within the application. This CWE-266 flaw enables attackers to gain unauthorized administrative or elevated access, potentially compromising the entire LMS installation and user data. While CVSS and EPSS scores are not yet publicly available, the privilege escalation nature and confirmed vulnerability status indicate significant real-world risk, particularly for WordPress installations managing educational content and user accounts.
RewardsWP, a WordPress plugin by Andrew Munro/AffiliateWP, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows authenticated or unauthenticated attackers to escalate their privileges within the plugin and potentially the WordPress installation. Affected versions are RewardsWP up to and including 1.0.4. This vulnerability enables privilege escalation attacks, allowing attackers with limited access to gain elevated permissions and control over reward or affiliate functionality.
Bit SMTP version 1.2.2 and earlier contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. The vulnerability affects the Bit SMTP WordPress plugin and permits attackers to elevate their privileges beyond their intended authorization level. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15882, indicating formal recognition of the security issue.
A privilege escalation vulnerability exists in the wpeverest User Registration WordPress plugin through version 4.4.9 due to incorrect privilege assignment (CWE-266). This flaw allows authenticated or unauthenticated attackers to escalate their privileges within the plugin, potentially gaining administrative access or elevated capabilities. No CVSS score, EPSS data, or KEV status has been published, limiting quantification of real-world exploitation risk, though the vulnerability was reported by Patchstack and affects all installations running version 4.4.9 or earlier.
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in uxper Golo theme versions up to and including 1.7.0, enabling privilege escalation attacks. This WordPress theme vulnerability allows attackers to elevate their privileges within the application, potentially gaining unauthorized administrative access. The vulnerability was reported by Patchstack and affects all versions from an unspecified baseline through 1.7.0; no CVSS score, EPSS data, or active KEV status information is currently available.
WPBookit Pro contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows unauthenticated or low-privileged attackers to escalate their privileges within the WordPress plugin. All versions through 1.6.18 are affected, enabling attackers to gain unauthorized administrative or elevated capabilities. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15721, though CVSS scoring data is currently unavailable.
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in the Salon Booking System Pro WordPress plugin versions prior to 10.30.12, allowing attackers to escalate privileges and potentially achieve account takeover. The vulnerability affects all versions of the salon-booking-plugin-pro from an unspecified baseline through version 10.30.11. This privilege escalation can be exploited by unauthenticated or low-privileged attackers to gain unauthorized administrative access to the booking system.
Elated-Themes Search & Go contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. All versions up to and including version 2.8 are affected. An attacker can exploit this flaw to escalate privileges within the WordPress environment, gaining unauthorized administrative or elevated capabilities. While CVSS and EPSS scores are not available, the vulnerability has been documented by security researcher Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15582, indicating it has received third-party security scrutiny.
This is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Xagio SEO WordPress plugin that allows privilege escalation. The vulnerability affects Xagio SEO versions up to and including 7.1.0.30. An attacker can exploit this flaw to elevate their privileges within the affected WordPress installation, potentially gaining administrative access or performing unauthorized actions. No CVSS score, EPSS data, or KEV status information is currently available, and the vulnerability has not been confirmed as actively exploited in the wild.
RegistrationMagic, a WordPress plugin for custom registration forms, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation through improper access controls. Versions up to and including 6.0.7.1 are affected, enabling attackers to escalate privileges and potentially take over user accounts. While CVSS and EPSS scores are not publicly available, the vulnerability has been documented by Patchstack and assigned ENISA tracking ID EUVD-2026-15569, indicating active vulnerability research and disclosure.
cryptodev-linux 1.14 and earlier suffer from a use-after-free vulnerability in the /dev/crypto device driver that enables local privilege escalation through reference count manipulation. Attackers with local access can exploit this memory corruption flaw to gain elevated privileges on affected systems. Public exploit code exists for this vulnerability.
A permissions enforcement vulnerability in macOS allows applications to bypass security restrictions and access protected user data due to insufficient authorization checks. This issue affects macOS Sequoia (prior to 15.7.5), macOS Sonoma (prior to 14.8.5), and macOS Tahoe (prior to 26.4). An attacker with the ability to execute an application on the affected system could potentially access sensitive user information without proper user consent or authorization. No CVSS score, EPSS data, or active exploitation in the wild (KEV status) has been disclosed by Apple.
A permissions bypass vulnerability in Apple Xcode allows unprivileged applications to read arbitrary files with root-level privileges due to insufficient access controls. The vulnerability affects Xcode versions prior to 26.4 and could enable attackers to exfiltrate sensitive system files or configuration data. While no CVSS score or EPSS data is currently published, the ability to read arbitrary files as root represents a critical privilege escalation issue that warrants immediate patching.
A privilege escalation vulnerability exists in osslsigncode (mtrojnar) versions 2.10 and earlier within the osslsigncode.c component, allowing remote attackers to escalate privileges. The vulnerability affects users of the osslsigncode code signing utility. While CVSS scoring is not yet available, referenced GitHub issues and pull requests suggest this is an authenticated or context-dependent issue that has been identified and likely patched.
A privilege escalation vulnerability exists in ralphje Signify versions prior to 0.9.2, affecting the signed_data.py and context.py components. Remote attackers can exploit this flaw to escalate privileges within the application's cryptographic signature verification context. While CVSS and EPSS scores are not currently available, the vulnerability has been patched in version 0.9.2 and related issues have been addressed in the upstream osslsigncode project.
Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.
Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available.
Firefox versions prior to 149 contain a privilege escalation vulnerability in the IPC component that allows remote attackers to escalate privileges through user interaction on affected systems. An attacker can exploit this flaw to gain elevated system access and potentially execute arbitrary code with higher privileges. No patch is currently available for this high-severity vulnerability affecting Mozilla and Debian users.
This vulnerability in Roadiz's DownloadedFile::fromUrl() method allows authenticated users with ROLE_ACCESS_DOCUMENTS to read arbitrary files from the server via PHP stream wrapper abuse, specifically by injecting file:// URIs into media import workflows. An attacker can extract sensitive files including .env configuration files, database credentials, and system files, achieving complete confidentiality compromise of the application and potentially the underlying infrastructure. A proof-of-concept exists demonstrating exploitation through malicious Podcast RSS feeds, and a patch is available from the vendor.
systemd (PID 1) contains a denial-of-service vulnerability triggered by malformed IPC API calls from unprivileged users that causes the service manager to assert and freeze. On versions v249 and earlier, the same vulnerability manifests as stack buffer overwriting with attacker-controlled data, potentially enabling code execution; versions v250 and newer include a safety check that converts this to a non-exploitable assertion failure. The vulnerability affects systemd versions v239 through v259 (with patched versions 260-rc1, 259.2, 258.5, and 257.11 available), impacting all Linux distributions using affected systemd builds including multiple Ubuntu releases tracked at medium priority.
Blinko versions prior to 1.8.4 contain a critical privilege escalation vulnerability in the upsertUser endpoint that allows any authenticated user to modify other users' passwords and escalate to superadmin privileges. The vulnerability stems from three distinct authorization and input validation flaws: missing superAdminAuthMiddleware enforcement, optional password verification, and absent ownership checks. An attacker with valid credentials can directly execute account takeover and administrative privilege escalation with no additional exploits required.
GV Edge Recording Manager (ERM) v2.3.1 improperly executes application components with SYSTEM-level privileges, allowing any local user to escalate privileges and gain full control of the operating system. The vulnerability stems from the Windows service running under the LocalSystem account and spawning child processes with elevated privileges, particularly when file dialogs are invoked during operations like data import. This is a local privilege escalation vulnerability with high real-world risk due to the ease of exploitation and the severity of the impact.
A critical command injection vulnerability exists in DigitalOcean Droplet Agent through version 1.3.2, where the troubleshooting actioner component processes metadata from the metadata service endpoint without adequate input validation, allowing attackers who can control metadata responses to inject and execute arbitrary OS commands with root privileges. An attacker can trigger the vulnerability by sending a TCP packet with specific sequence numbers to the SSH port, causing the agent to fetch and execute malicious commands from the metadata service, potentially leading to complete system compromise, data exfiltration, and lateral movement across cloud infrastructure. A public proof-of-concept exists at https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE, indicating active research and potential exploitation risk.
Iperius Backup 6.1.0 contains a privilege escalation vulnerability that allows low-privilege users to execute arbitrary programs with elevated privileges by creating backup jobs.
The Ultimate WordPress Toolkit - WP Extended plugin for WordPress contains a privilege escalation vulnerability affecting all versions up to and including 3.2.4. Authenticated attackers with Subscriber-level access can exploit an insecure URL check to gain administrative capabilities, enabling them to modify WordPress options and create new administrator accounts. This is a critical vulnerability with a CVSS score of 8.8, requiring low attack complexity and no user interaction.
The Import and export users and customers plugin for WordPress contains a privilege escalation vulnerability that allows unauthenticated attackers to gain Administrator privileges. All versions up to and including 1.29.7 are affected. The vulnerability can only be exploited when specific configuration conditions are met (the 'Show fields in profile' setting is enabled and a CSV with wp_capabilities column has been previously imported), which increases attack complexity but does not eliminate the critical risk.
The Expire Users plugin for WordPress versions up to and including 1.2.2 contains a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to elevate their privileges to administrator level. This occurs because the plugin improperly allows users to update the 'on_expire_default_to_role' meta field through the 'save_extra_user_profile_fields' function without proper authorization checks. With a CVSS score of 8.8 (High severity), this represents a critical security issue for affected WordPress installations, though no active exploitation (KEV) or EPSS data has been reported at this time.
The Linksy Search and Replace plugin for WordPress versions up to 1.0.4 contains a missing capability check vulnerability that allows authenticated attackers with subscriber-level access or higher to modify arbitrary database tables. Attackers can exploit this to elevate their privileges to administrator by modifying the wp_capabilities field, achieving complete site takeover. With a CVSS score of 8.8 (High), this represents a critical privilege escalation vulnerability affecting authenticated users with minimal access.
The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated attackers to bypass device pairing requirements and self-assign elevated operator.admin scopes. Attackers with valid shared gateway authentication credentials can present self-signed unpaired device identities to obtain administrator privileges before pairing approval is granted. This is a high-severity vulnerability (CVSS 8.8) with a patch available from the vendor.
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.
CTEK Chargeportal's OCPP WebSocket endpoints accept unauthenticated connections, allowing remote attackers to impersonate charging stations by connecting with known or discovered station identifiers and issuing fraudulent OCPP commands to the backend infrastructure. This authentication bypass enables complete control over charging operations, data manipulation, and privilege escalation across the charging network. CISA ICS-CERT issued advisory ICSA-26-078-06 for this industrial control system vulnerability. EPSS score of 0.13% (33rd percentile) indicates relatively low predicted exploitation likelihood despite critical CVSS 9.3 severity, though SSVC assessment confirms the vulnerability is fully automatable with total technical impact.
Remote code execution in Python allows authenticated users with SETTINGS permission to modify the reconnect.script configuration parameter without restriction, which is then passed unsanitized to subprocess.run() enabling arbitrary command execution. The vulnerability exists due to insufficient input validation in the set_config_value() API endpoint, which only restricts the general.storage_folder setting while leaving other security-critical options like reconnect.script unprotected. An attacker with non-admin SETTINGS privileges can exploit this to achieve full system compromise on the affected Python installation.
A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.
An unauthenticated information disclosure vulnerability exists in the AVideo Permissions plugin endpoint `list.json.php`, which exposes the complete permission matrix mapping user groups to installed plugins without any authentication check. The vulnerability affects AVideo instances with the Permissions plugin enabled and allows unauthenticated attackers to enumerate all user groups, plugins, and their permission assignments-information that significantly aids targeted privilege escalation attacks. A proof-of-concept curl command exists, and this represents a clear authentication bypass in a sensitive administrative endpoint.
AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.
The Aimogen Pro plugin for WordPress contains an arbitrary function call vulnerability allowing unauthenticated attackers to execute privileged WordPress functions without authorization. All versions up to and including 2.7.5 are affected, enabling attackers to modify critical site settings such as changing the default user registration role to administrator, then registering as an admin to gain full site control. This is a critical authentication bypass with privilege escalation rated 9.8 CVSS, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.
A privilege escalation vulnerability in Discourse allows moderators to edit site policy documents (Terms of Service, guidelines, privacy policy) despite explicit access restrictions, enabling unauthorized modification of critical site governance documents. This affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability has a low CVSS score of 2.2 due to high attack complexity and privileged access requirement, but represents a clear integrity violation of role-based access controls.
SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.
OpenWrt versions prior to 24.10.6 allow local attackers with limited privileges to inject a malicious PATH environment variable into hotplug scripts due to improper filtering in the hotplug_call function, enabling execution of arbitrary binaries with elevated privileges. The vulnerability stems from a strcmp/strncmp logic error that fails to properly exclude the PATH variable when executing scripts in /etc/hotplug.d, resulting in local privilege escalation. No patch is currently available.
Unauthorized user warnings in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 can be issued by authenticated non-staff users due to a type coercion flaw in the post actions API endpoint. Attackers with valid login credentials can exploit this to send warnings meant only for staff moderators, though no data exposure or further privilege escalation occurs. No patch workaround is currently available.
The CustomizeUser plugin in PHP and Python allows attackers to bypass channel-level access control by exploiting improper password validation in the setPassword.json.php endpoint. An administrator-level attacker can set any user's channel password to zero due to type coercion of non-numeric characters, enabling trivial authentication bypass for any visitor. No patch is currently available for this critical vulnerability.
A critical validation bypass vulnerability in the ormar Python ORM library allows attackers to completely skip all Pydantic field validation by injecting a special '__pk_only__' parameter in JSON request bodies. This affects all applications using ormar's canonical FastAPI integration pattern (where ormar models are used directly as request body parameters), enabling attackers to persist invalid data, bypass security constraints, and potentially escalate privileges. A working proof-of-concept demonstrates the vulnerability is trivially exploitable, and with a CVSS score of 7.1, it poses significant risk to affected applications.
UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.
The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.
An incorrect privilege assignment vulnerability exists in the WooCommerce Wholesale Lead Capture plugin for WordPress, allowing unauthenticated attackers to escalate privileges on affected sites. All versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. are vulnerable. With a CVSS score of 9.8 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe security risk for WordPress sites using this plugin.
Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to decrypt, modify, and re-encrypt...
The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.
Local privilege escalation in Linux kernel AppArmor allows low-privilege users to manipulate security policy via confused deputy attack. Attackers pass file descriptors for apparmorfs interfaces to privileged processes, enabling full policy management capabilities including disabling confinement and bypassing user namespace restrictions. Publicly available exploit code exists. EPSS score 0.01% suggests low widespread exploitation probability. Patches released for kernel 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4 with multiple distribution advisories available.
Arturia Software Center on macOS installs plugin uninstall scripts with world-writable permissions (777) in root-owned directories, allowing local attackers to modify these scripts and achieve privilege escalation when the Privileged Helper executes them during plugin removal. This vulnerability affects any macOS user with the Arturia Software Center installed and requires local access and user interaction to exploit. No patch is currently available.
The KiviCare clinic management plugin for WordPress contains a critical privilege escalation vulnerability allowing unauthenticated attackers to create new clinics and administrative users through an unprotected REST API endpoint. All versions up to and including 4.1.2 are affected. With a CVSS score of 8.2 and network-based exploitation requiring no authentication, this represents a significant risk to healthcare data confidentiality and system integrity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
The Arturia Software Center on macOS contains insufficient code signature validation in its Privileged Helper component, allowing unauthenticated clients to connect and execute privileged actions without proper authorization. This vulnerability affects all versions of Arturia Software Center and enables local privilege escalation attacks where an unprivileged user can escalate to root or system-level privileges. While no CVSS score or EPSS data is publicly available, the authentication bypass nature and privilege escalation impact classify this as a high-severity issue; no KEV listing or public proof-of-concept has been confirmed at this time.
This vulnerability in Dahua NVR/XVR devices allows unauthenticated privilege escalation through the serial port console by bypassing shell authentication mechanisms. Affected devices include Dahua NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T models with build dates prior to March 3, 2026. An attacker with physical access to the device can gain a restricted shell and escalate privileges to access sensitive system functions, though the CVSS 2.4 score reflects the requirement for physical proximity and lack of data availability impact.
MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user management Add To Group functionality that allows attackers to escalate privileges by adding authenticated users to arbitrary groups without proper authorization validation. An authenticated administrator visiting a malicious webpage can be tricked into adding any user to the Admin group or other privileged groups, though escalation to the Super Admin (s2) group is blocked. This vulnerability enables both horizontal privilege escalation across different user groups and vertical privilege escalation to administrative roles, posing a significant risk to multi-user MuraCMS installations where administrator accounts are targeted.
Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.
Local privilege escalation in snapd on multiple Ubuntu versions allows authenticated local attackers to obtain root access by exploiting a race condition between snap's temporary directory creation and systemd-tmpfiles cleanup operations. An attacker with local access can manipulate the /tmp directory to escalate privileges when snapd attempts to recreate its private snap directories. This vulnerability affects Ubuntu 16.04 LTS through 24.04 LTS with no patch currently available.
A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.
Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. No patch is currently available.
Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.
LAPSWebUI before version 2.4 by Truesec improperly caches LAPS (Local Administrator Password Solution) passwords in browser storage, allowing a local attacker with user-level access to retrieve plaintext or weakly protected admin credentials from the browser cache. An attacker who gains access to a workstation where an administrator has used LAPSWebUI can escalate privileges to local administrator by exploiting this caching behavior. While the CVSS score is moderate at 6.0, the practical impact is high because successful exploitation directly enables privilege escalation to administrative access.
LAPSWebUI before version 2.4 contains a non-functional logout mechanism that allows an authenticated local attacker to obtain elevated privileges through disclosure of cached local administrator passwords. An attacker with existing workstation access and low privileges can exploit this flaw to escalate to local admin by recovering credentials that should have been cleared upon session termination. The vulnerability carries a CVSS v4.0 score of 6.0 (Medium) with local attack vector and requires prior login plus user interaction, though the confidentiality impact on sensitive credentials is marked as high.
Insufficient Session Expiration in Truesec's LAPSWebUI before version 2.4 allows local attackers with user-level privileges to obtain local administrator passwords through inadequate session management controls. An attacker with physical or logical access to a workstation can exploit this vulnerability to escalate privileges and disclose sensitive credentials, potentially compromising domain administration. This vulnerability represents a practical privilege escalation risk in environments relying on LAPS (Local Administrator Password Solution) for credential management.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.
A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe).
Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions.
Privilege escalation in OpenClaw device token rotation (versions before 2026.3.11) enables authenticated attackers with operator.pairing scope to mint tokens with arbitrary elevated scopes, including operator.admin privileges. This scope validation bypass permits remote code execution on connected nodes via system.run API and unauthorized gateway-admin access. CVSS 9.4 (Critical) with network attack vector and low complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis, though technical details disclosed via GitHub security advisory increase exploitation risk.
Fleet server memory exhaustion via unbounded request bodies allows unauthenticated denial-of-service against multiple HTTP endpoints. The vulnerability affects Fleet v4 (github.com/fleetdm/fleet/v4) and was responsibly disclosed by @fuzzztf. Attackers can exhaust available memory and force server restarts by sending oversized or repeated HTTP requests to unauthenticated endpoints lacking size limits. No public exploit identified at time of analysis, though the attack mechanism is straightforward given the CWE-770 resource allocation vulnerability class.
Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation requests, allowing unauthenticated remote attackers to trigger excessive renegotiations that consume CPU resources and cause denial of service. The vulnerability affects the authentication daemon across all Wazuh Manager deployments running vulnerable versions, enabling attackers to render the authd service unavailable with no authentication required and minimal attack complexity.
Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation, enabling remote attackers to trigger denial of service by flooding the service with excessive renegotiation requests that exhaust CPU resources and render the authentication daemon unavailable. The vulnerability affects all Wazuh Manager installations up to and including version 4.7.3, requires no authentication or user interaction, and can be exploited over the network by any remote actor. No public exploit code or active exploitation has been confirmed at this time, though the straightforward nature of renegotiation-based DoS attacks and moderate CVSS score of 6.9 indicate practical exploitability.
Path traversal in Incus system container manager allows authenticated remote attackers to write arbitrary files as root on the host via malformed systemd credential configuration keys. Affecting all versions before 6.23.0, this enables both privilege escalation from container to host and denial of service through critical file overwrites. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis. The CVSS 9.9 Critical rating reflects the severe impact of container escape, though the PR:L requirement and lack of active exploitation temper immediate urgency.
Authentication bypass in Incus webui (versions prior to 6.23.0) permits local or remote attackers to gain unauthorized access to the system container and virtual machine manager via an improperly validated authentication token. The vulnerability allows attackers who can reach the temporary localhost web server to escalate privileges to the level of the user running 'incus webui', enabling control over containers, virtual machines, and potentially underlying system resources. CVSS score of 8.8 (High) reflects network attack vector with low complexity requiring user interaction; no public exploit identified at time of analysis.
Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.
Privilege escalation in ellanetworks/core allows NetworkManager role holders to replace the production SQLite database through an unvalidated restore endpoint, escalating to Admin privileges with full access to user management, audit logs, and system configuration. The NetworkManager role was improperly granted backup/restore permissions, and the restore function accepted arbitrary SQLite files without content validation. Vendor patch available in v1.7.0 (commit 1e47682). EPSS exploitation probability is low (0.03%, 8th percentile), and no active exploitation or public POC identified at time of analysis.
Improper case sensitivity handling in the Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 allows privilege escalation through authentication bypass mechanisms. Authenticated or remote attackers can exploit case-sensitivity weaknesses in identity claim validation to assume elevated permissions within Drupal systems relying on this module for federated authentication. The vulnerability affects all versions from 0.0.0 through 1.5.0, and vendor-released patch version 1.5.0 is available.
Keycloak allows authenticated administrators with manage-clients permission to escalate privileges to manage-permissions level, enabling unauthorized control over roles, users, and administrative functions within a realm. Red Hat Build of Keycloak, JBoss Enterprise Application Platform 8, and Red Hat Single Sign-On 7 are affected when admin permissions are enabled at the realm level. The vulnerability requires high-privilege authentication but carries medium CVSS severity (6.5) due to confidentiality and integrity impact without availability compromise.
Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that can compromise application integrity and confidentiality. Unauthenticated attackers can leverage this access control flaw to manipulate and exfiltrate data with user interaction required (CVSS 8.1, AV:N/AC:L/PR:N/UI:R). No public exploit has been identified at time of analysis, with CISA SSVC rating the technical impact as partial and exploitation status as none.
Vienna Assistant 1.2.542 on macOS allows local privilege escalation through an unauthenticated XPC service endpoint that accepts connections from any process. The vulnerable VSL privileged helper service exposes functions to write arbitrary files to any location and execute arbitrary binaries with any arguments, enabling a low-privileged local user to gain root access. A proof-of-concept exploit exists per SSVC assessment, with an EPSS score of 0.02% indicating low observed exploitation probability in the wild.
Mattermost versions 11.2.x through 11.2.2, 10.11.x through 10.11.10, 11.4.0, and 11.3.x through 11.3.1 fail to properly restrict team-level access during remote cluster membership synchronization, allowing a malicious remote cluster to grant users access to entire private teams rather than limiting access to only shared channels. An authenticated attacker controlling a federated remote cluster can send crafted membership sync messages to trigger unintended team membership assignment, resulting in unauthorized access to private team resources. The EPSS score of 0.03% (percentile 7%) indicates low real-world exploitation probability, and no public exploit code has been identified at time of analysis.
RATOC RAID Monitoring Manager for Windows contains an insecure directory permissions vulnerability when the installation folder is customized to a non-default location. The installer fails to properly set access control lists (ACLs) on custom installation directories, allowing non-administrative users to modify folder contents and execute arbitrary code with SYSTEM privileges. With a CVSS 4.0 score of 8.5, this represents a high-severity local privilege escalation vulnerability affecting Windows systems where this RAID management software is installed.
The Amelia Booking plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in versions up to and including 9.1.2 that allows authenticated attackers with customer-level permissions to bypass authorization controls and modify user passwords, including administrator accounts, potentially leading to complete site takeover. This vulnerability affects the pro version of the plugin available on CodeCanyon and carries a CVSS score of 8.8 (HIGH). No evidence of active exploitation (KEV) or public proof-of-concept is currently documented, but the vulnerability has been publicly disclosed by Wordfence.
The Masteriyo LMS plugin for WordPress contains a critical privilege escalation vulnerability that allows authenticated users with Student-level access or higher to elevate their privileges to administrator level. All versions up to and including 2.1.6 are affected. The vulnerability is exploitable over the network with low attack complexity and requires no user interaction, resulting in a critical CVSS score of 9.8, though the CVSS vector indicates no authentication required (PR:N) which conflicts with the description stating Student-level access is needed.
crun versions 1.19 through 1.26 misparse the `-u` (--user) option during container execution, causing a numeric UID value of 1 to be incorrectly interpreted as UID 0 (root) instead, resulting in privilege escalation where containerized processes execute with root privileges instead of the intended unprivileged user. The vulnerability affects the containers/crun OCI runtime container (cpe:2.3:a:containers:crun:*:*:*:*:*:*:*:*) and has been patched in version 1.27. No public exploit code or active exploitation has been identified, though the EPSS score of 0.01% (percentile 2%) indicates minimal real-world exploitation likelihood despite the privilege escalation tag.
Improper access control in OpenEMR versions prior to 8.0.0.3 allows any authenticated user to download and permanently delete electronic claim batch files containing protected health information (PHI) via the billing file-download endpoint, regardless of whether they have billing privileges. The vulnerability has a 7.6 CVSS score with low attack complexity and requires only low-level authentication. EPSS exploitation probability is 0.03% (8th percentile), indicating low observed targeting in real-world exploitation at time of analysis, and no public exploit has been identified.
OpenEMR versions prior to 8.0.0.3 allow authenticated API users to bypass administrative access controls on five insurance company management REST API endpoints due to missing authorization checks. An attacker with valid API credentials but non-administrative OpenEMR privileges can create, read, and modify insurance company records without proper permission validation. The vulnerability requires prior authentication and affects data integrity rather than confidentiality or availability; no public exploit code has been identified, and exploitation probability is very low (EPSS 0.02%).
Improper privilege management in Iperius Backup through version 8.7.3 allows local authenticated attackers to escalate privileges via manipulation of the Backup Job Configuration File Handler, with public exploit code available. The vulnerability requires local access and high attack complexity but grants full confidentiality and integrity impacts to affected systems. Upgrade to version 8.7.4 or later to remediate.
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 are vulnerable to privilege escalation due to improper access control (CWE-200: Information Exposure). A privileged user with existing authenticated access to the application server can exploit this vulnerability to gain additional unauthorized access to sensitive resources, potentially leading to information disclosure and integrity violations. While a CVSS score of 6.5 indicates moderate severity, the vulnerability requires high privileges to trigger (PR:H) and has no user interaction requirement, making it exploitable by insiders or compromised administrative accounts.
A stored cross-site scripting (XSS) vulnerability in n8n workflow automation platform allows authenticated users to craft malicious workflows that execute arbitrary JavaScript in the browsers of higher-privileged users. Affected versions are n8n prior to 1.123.27, 2.13.3, and 2.14.1 (identified via CPE cpe:2.3:a:n8n-io:n8n). An attacker with workflow creation/modification permissions can exploit the `/rest/binary-data` endpoint's failure to properly sanitize HTML responses, enabling credential theft, workflow manipulation, and privilege escalation to administrative access with full same-origin context.
A user-controlled key authorization bypass vulnerability in HYPR Server versions 9.5.2 through 10.7.1 enables authenticated attackers to escalate privileges through improper authorization checks. An attacker with low-level privileges can manipulate cryptographic keys or authorization tokens to gain high-level access, compromising confidentiality, integrity, and availability of the authentication system. This vulnerability requires local or physical access to the system and valid user credentials, limiting its immediate threat scope but representing a critical risk in multi-tenant or shared infrastructure deployments.
An incorrect privilege assignment vulnerability in HYPR Server allows authenticated users to escalate their privileges through an unspecified mechanism. HYPR Server versions 10.5.1 through 10.6.x are affected, with the vulnerability resolved in version 10.7 and later. An attacker with valid user credentials can exploit this flaw to gain elevated permissions, potentially compromising the entire authentication infrastructure managed by the HYPR Server instance.
An Incorrect Privilege Assignment vulnerability exists in WPFunnels Creator LMS plugin (versions up to and including 1.1.18) that allows authenticated or unauthenticated attackers to escalate their privileges within the application. This CWE-266 flaw enables attackers to gain unauthorized administrative or elevated access, potentially compromising the entire LMS installation and user data. While CVSS and EPSS scores are not yet publicly available, the privilege escalation nature and confirmed vulnerability status indicate significant real-world risk, particularly for WordPress installations managing educational content and user accounts.
RewardsWP, a WordPress plugin by Andrew Munro/AffiliateWP, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows authenticated or unauthenticated attackers to escalate their privileges within the plugin and potentially the WordPress installation. Affected versions are RewardsWP up to and including 1.0.4. This vulnerability enables privilege escalation attacks, allowing attackers with limited access to gain elevated permissions and control over reward or affiliate functionality.
Bit SMTP version 1.2.2 and earlier contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. The vulnerability affects the Bit SMTP WordPress plugin and permits attackers to elevate their privileges beyond their intended authorization level. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15882, indicating formal recognition of the security issue.
A privilege escalation vulnerability exists in the wpeverest User Registration WordPress plugin through version 4.4.9 due to incorrect privilege assignment (CWE-266). This flaw allows authenticated or unauthenticated attackers to escalate their privileges within the plugin, potentially gaining administrative access or elevated capabilities. No CVSS score, EPSS data, or KEV status has been published, limiting quantification of real-world exploitation risk, though the vulnerability was reported by Patchstack and affects all installations running version 4.4.9 or earlier.
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in uxper Golo theme versions up to and including 1.7.0, enabling privilege escalation attacks. This WordPress theme vulnerability allows attackers to elevate their privileges within the application, potentially gaining unauthorized administrative access. The vulnerability was reported by Patchstack and affects all versions from an unspecified baseline through 1.7.0; no CVSS score, EPSS data, or active KEV status information is currently available.
WPBookit Pro contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows unauthenticated or low-privileged attackers to escalate their privileges within the WordPress plugin. All versions through 1.6.18 are affected, enabling attackers to gain unauthorized administrative or elevated capabilities. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15721, though CVSS scoring data is currently unavailable.
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in the Salon Booking System Pro WordPress plugin versions prior to 10.30.12, allowing attackers to escalate privileges and potentially achieve account takeover. The vulnerability affects all versions of the salon-booking-plugin-pro from an unspecified baseline through version 10.30.11. This privilege escalation can be exploited by unauthenticated or low-privileged attackers to gain unauthorized administrative access to the booking system.
Elated-Themes Search & Go contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. All versions up to and including version 2.8 are affected. An attacker can exploit this flaw to escalate privileges within the WordPress environment, gaining unauthorized administrative or elevated capabilities. While CVSS and EPSS scores are not available, the vulnerability has been documented by security researcher Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15582, indicating it has received third-party security scrutiny.
This is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Xagio SEO WordPress plugin that allows privilege escalation. The vulnerability affects Xagio SEO versions up to and including 7.1.0.30. An attacker can exploit this flaw to elevate their privileges within the affected WordPress installation, potentially gaining administrative access or performing unauthorized actions. No CVSS score, EPSS data, or KEV status information is currently available, and the vulnerability has not been confirmed as actively exploited in the wild.
RegistrationMagic, a WordPress plugin for custom registration forms, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation through improper access controls. Versions up to and including 6.0.7.1 are affected, enabling attackers to escalate privileges and potentially take over user accounts. While CVSS and EPSS scores are not publicly available, the vulnerability has been documented by Patchstack and assigned ENISA tracking ID EUVD-2026-15569, indicating active vulnerability research and disclosure.
cryptodev-linux 1.14 and earlier suffer from a use-after-free vulnerability in the /dev/crypto device driver that enables local privilege escalation through reference count manipulation. Attackers with local access can exploit this memory corruption flaw to gain elevated privileges on affected systems. Public exploit code exists for this vulnerability.
A permissions enforcement vulnerability in macOS allows applications to bypass security restrictions and access protected user data due to insufficient authorization checks. This issue affects macOS Sequoia (prior to 15.7.5), macOS Sonoma (prior to 14.8.5), and macOS Tahoe (prior to 26.4). An attacker with the ability to execute an application on the affected system could potentially access sensitive user information without proper user consent or authorization. No CVSS score, EPSS data, or active exploitation in the wild (KEV status) has been disclosed by Apple.
A permissions bypass vulnerability in Apple Xcode allows unprivileged applications to read arbitrary files with root-level privileges due to insufficient access controls. The vulnerability affects Xcode versions prior to 26.4 and could enable attackers to exfiltrate sensitive system files or configuration data. While no CVSS score or EPSS data is currently published, the ability to read arbitrary files as root represents a critical privilege escalation issue that warrants immediate patching.
A privilege escalation vulnerability exists in osslsigncode (mtrojnar) versions 2.10 and earlier within the osslsigncode.c component, allowing remote attackers to escalate privileges. The vulnerability affects users of the osslsigncode code signing utility. While CVSS scoring is not yet available, referenced GitHub issues and pull requests suggest this is an authenticated or context-dependent issue that has been identified and likely patched.
A privilege escalation vulnerability exists in ralphje Signify versions prior to 0.9.2, affecting the signed_data.py and context.py components. Remote attackers can exploit this flaw to escalate privileges within the application's cryptographic signature verification context. While CVSS and EPSS scores are not currently available, the vulnerability has been patched in version 0.9.2 and related issues have been addressed in the upstream osslsigncode project.
Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.
Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available.
Firefox versions prior to 149 contain a privilege escalation vulnerability in the IPC component that allows remote attackers to escalate privileges through user interaction on affected systems. An attacker can exploit this flaw to gain elevated system access and potentially execute arbitrary code with higher privileges. No patch is currently available for this high-severity vulnerability affecting Mozilla and Debian users.
This vulnerability in Roadiz's DownloadedFile::fromUrl() method allows authenticated users with ROLE_ACCESS_DOCUMENTS to read arbitrary files from the server via PHP stream wrapper abuse, specifically by injecting file:// URIs into media import workflows. An attacker can extract sensitive files including .env configuration files, database credentials, and system files, achieving complete confidentiality compromise of the application and potentially the underlying infrastructure. A proof-of-concept exists demonstrating exploitation through malicious Podcast RSS feeds, and a patch is available from the vendor.
systemd (PID 1) contains a denial-of-service vulnerability triggered by malformed IPC API calls from unprivileged users that causes the service manager to assert and freeze. On versions v249 and earlier, the same vulnerability manifests as stack buffer overwriting with attacker-controlled data, potentially enabling code execution; versions v250 and newer include a safety check that converts this to a non-exploitable assertion failure. The vulnerability affects systemd versions v239 through v259 (with patched versions 260-rc1, 259.2, 258.5, and 257.11 available), impacting all Linux distributions using affected systemd builds including multiple Ubuntu releases tracked at medium priority.
Blinko versions prior to 1.8.4 contain a critical privilege escalation vulnerability in the upsertUser endpoint that allows any authenticated user to modify other users' passwords and escalate to superadmin privileges. The vulnerability stems from three distinct authorization and input validation flaws: missing superAdminAuthMiddleware enforcement, optional password verification, and absent ownership checks. An attacker with valid credentials can directly execute account takeover and administrative privilege escalation with no additional exploits required.
GV Edge Recording Manager (ERM) v2.3.1 improperly executes application components with SYSTEM-level privileges, allowing any local user to escalate privileges and gain full control of the operating system. The vulnerability stems from the Windows service running under the LocalSystem account and spawning child processes with elevated privileges, particularly when file dialogs are invoked during operations like data import. This is a local privilege escalation vulnerability with high real-world risk due to the ease of exploitation and the severity of the impact.
A critical command injection vulnerability exists in DigitalOcean Droplet Agent through version 1.3.2, where the troubleshooting actioner component processes metadata from the metadata service endpoint without adequate input validation, allowing attackers who can control metadata responses to inject and execute arbitrary OS commands with root privileges. An attacker can trigger the vulnerability by sending a TCP packet with specific sequence numbers to the SSH port, causing the agent to fetch and execute malicious commands from the metadata service, potentially leading to complete system compromise, data exfiltration, and lateral movement across cloud infrastructure. A public proof-of-concept exists at https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE, indicating active research and potential exploitation risk.
Iperius Backup 6.1.0 contains a privilege escalation vulnerability that allows low-privilege users to execute arbitrary programs with elevated privileges by creating backup jobs.
The Ultimate WordPress Toolkit - WP Extended plugin for WordPress contains a privilege escalation vulnerability affecting all versions up to and including 3.2.4. Authenticated attackers with Subscriber-level access can exploit an insecure URL check to gain administrative capabilities, enabling them to modify WordPress options and create new administrator accounts. This is a critical vulnerability with a CVSS score of 8.8, requiring low attack complexity and no user interaction.
The Import and export users and customers plugin for WordPress contains a privilege escalation vulnerability that allows unauthenticated attackers to gain Administrator privileges. All versions up to and including 1.29.7 are affected. The vulnerability can only be exploited when specific configuration conditions are met (the 'Show fields in profile' setting is enabled and a CSV with wp_capabilities column has been previously imported), which increases attack complexity but does not eliminate the critical risk.
The Expire Users plugin for WordPress versions up to and including 1.2.2 contains a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to elevate their privileges to administrator level. This occurs because the plugin improperly allows users to update the 'on_expire_default_to_role' meta field through the 'save_extra_user_profile_fields' function without proper authorization checks. With a CVSS score of 8.8 (High severity), this represents a critical security issue for affected WordPress installations, though no active exploitation (KEV) or EPSS data has been reported at this time.
The Linksy Search and Replace plugin for WordPress versions up to 1.0.4 contains a missing capability check vulnerability that allows authenticated attackers with subscriber-level access or higher to modify arbitrary database tables. Attackers can exploit this to elevate their privileges to administrator by modifying the wp_capabilities field, achieving complete site takeover. With a CVSS score of 8.8 (High), this represents a critical privilege escalation vulnerability affecting authenticated users with minimal access.
The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated attackers to bypass device pairing requirements and self-assign elevated operator.admin scopes. Attackers with valid shared gateway authentication credentials can present self-signed unpaired device identities to obtain administrator privileges before pairing approval is granted. This is a high-severity vulnerability (CVSS 8.8) with a patch available from the vendor.
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.
CTEK Chargeportal's OCPP WebSocket endpoints accept unauthenticated connections, allowing remote attackers to impersonate charging stations by connecting with known or discovered station identifiers and issuing fraudulent OCPP commands to the backend infrastructure. This authentication bypass enables complete control over charging operations, data manipulation, and privilege escalation across the charging network. CISA ICS-CERT issued advisory ICSA-26-078-06 for this industrial control system vulnerability. EPSS score of 0.13% (33rd percentile) indicates relatively low predicted exploitation likelihood despite critical CVSS 9.3 severity, though SSVC assessment confirms the vulnerability is fully automatable with total technical impact.
Remote code execution in Python allows authenticated users with SETTINGS permission to modify the reconnect.script configuration parameter without restriction, which is then passed unsanitized to subprocess.run() enabling arbitrary command execution. The vulnerability exists due to insufficient input validation in the set_config_value() API endpoint, which only restricts the general.storage_folder setting while leaving other security-critical options like reconnect.script unprotected. An attacker with non-admin SETTINGS privileges can exploit this to achieve full system compromise on the affected Python installation.
A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.
An unauthenticated information disclosure vulnerability exists in the AVideo Permissions plugin endpoint `list.json.php`, which exposes the complete permission matrix mapping user groups to installed plugins without any authentication check. The vulnerability affects AVideo instances with the Permissions plugin enabled and allows unauthenticated attackers to enumerate all user groups, plugins, and their permission assignments-information that significantly aids targeted privilege escalation attacks. A proof-of-concept curl command exists, and this represents a clear authentication bypass in a sensitive administrative endpoint.
AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.
The Aimogen Pro plugin for WordPress contains an arbitrary function call vulnerability allowing unauthenticated attackers to execute privileged WordPress functions without authorization. All versions up to and including 2.7.5 are affected, enabling attackers to modify critical site settings such as changing the default user registration role to administrator, then registering as an admin to gain full site control. This is a critical authentication bypass with privilege escalation rated 9.8 CVSS, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.
A privilege escalation vulnerability in Discourse allows moderators to edit site policy documents (Terms of Service, guidelines, privacy policy) despite explicit access restrictions, enabling unauthorized modification of critical site governance documents. This affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability has a low CVSS score of 2.2 due to high attack complexity and privileged access requirement, but represents a clear integrity violation of role-based access controls.
SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.
OpenWrt versions prior to 24.10.6 allow local attackers with limited privileges to inject a malicious PATH environment variable into hotplug scripts due to improper filtering in the hotplug_call function, enabling execution of arbitrary binaries with elevated privileges. The vulnerability stems from a strcmp/strncmp logic error that fails to properly exclude the PATH variable when executing scripts in /etc/hotplug.d, resulting in local privilege escalation. No patch is currently available.
Unauthorized user warnings in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 can be issued by authenticated non-staff users due to a type coercion flaw in the post actions API endpoint. Attackers with valid login credentials can exploit this to send warnings meant only for staff moderators, though no data exposure or further privilege escalation occurs. No patch workaround is currently available.
The CustomizeUser plugin in PHP and Python allows attackers to bypass channel-level access control by exploiting improper password validation in the setPassword.json.php endpoint. An administrator-level attacker can set any user's channel password to zero due to type coercion of non-numeric characters, enabling trivial authentication bypass for any visitor. No patch is currently available for this critical vulnerability.
A critical validation bypass vulnerability in the ormar Python ORM library allows attackers to completely skip all Pydantic field validation by injecting a special '__pk_only__' parameter in JSON request bodies. This affects all applications using ormar's canonical FastAPI integration pattern (where ormar models are used directly as request body parameters), enabling attackers to persist invalid data, bypass security constraints, and potentially escalate privileges. A working proof-of-concept demonstrates the vulnerability is trivially exploitable, and with a CVSS score of 7.1, it poses significant risk to affected applications.
UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.
The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.
An incorrect privilege assignment vulnerability exists in the WooCommerce Wholesale Lead Capture plugin for WordPress, allowing unauthenticated attackers to escalate privileges on affected sites. All versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. are vulnerable. With a CVSS score of 9.8 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe security risk for WordPress sites using this plugin.
Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to decrypt, modify, and re-encrypt...
The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.
Local privilege escalation in Linux kernel AppArmor allows low-privilege users to manipulate security policy via confused deputy attack. Attackers pass file descriptors for apparmorfs interfaces to privileged processes, enabling full policy management capabilities including disabling confinement and bypassing user namespace restrictions. Publicly available exploit code exists. EPSS score 0.01% suggests low widespread exploitation probability. Patches released for kernel 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4 with multiple distribution advisories available.
Arturia Software Center on macOS installs plugin uninstall scripts with world-writable permissions (777) in root-owned directories, allowing local attackers to modify these scripts and achieve privilege escalation when the Privileged Helper executes them during plugin removal. This vulnerability affects any macOS user with the Arturia Software Center installed and requires local access and user interaction to exploit. No patch is currently available.
The KiviCare clinic management plugin for WordPress contains a critical privilege escalation vulnerability allowing unauthenticated attackers to create new clinics and administrative users through an unprotected REST API endpoint. All versions up to and including 4.1.2 are affected. With a CVSS score of 8.2 and network-based exploitation requiring no authentication, this represents a significant risk to healthcare data confidentiality and system integrity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
The Arturia Software Center on macOS contains insufficient code signature validation in its Privileged Helper component, allowing unauthenticated clients to connect and execute privileged actions without proper authorization. This vulnerability affects all versions of Arturia Software Center and enables local privilege escalation attacks where an unprivileged user can escalate to root or system-level privileges. While no CVSS score or EPSS data is publicly available, the authentication bypass nature and privilege escalation impact classify this as a high-severity issue; no KEV listing or public proof-of-concept has been confirmed at this time.
This vulnerability in Dahua NVR/XVR devices allows unauthenticated privilege escalation through the serial port console by bypassing shell authentication mechanisms. Affected devices include Dahua NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T models with build dates prior to March 3, 2026. An attacker with physical access to the device can gain a restricted shell and escalate privileges to access sensitive system functions, though the CVSS 2.4 score reflects the requirement for physical proximity and lack of data availability impact.
MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user management Add To Group functionality that allows attackers to escalate privileges by adding authenticated users to arbitrary groups without proper authorization validation. An authenticated administrator visiting a malicious webpage can be tricked into adding any user to the Admin group or other privileged groups, though escalation to the Super Admin (s2) group is blocked. This vulnerability enables both horizontal privilege escalation across different user groups and vertical privilege escalation to administrative roles, posing a significant risk to multi-user MuraCMS installations where administrator accounts are targeted.
Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.
Local privilege escalation in snapd on multiple Ubuntu versions allows authenticated local attackers to obtain root access by exploiting a race condition between snap's temporary directory creation and systemd-tmpfiles cleanup operations. An attacker with local access can manipulate the /tmp directory to escalate privileges when snapd attempts to recreate its private snap directories. This vulnerability affects Ubuntu 16.04 LTS through 24.04 LTS with no patch currently available.
A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.
Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. No patch is currently available.
Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.
LAPSWebUI before version 2.4 by Truesec improperly caches LAPS (Local Administrator Password Solution) passwords in browser storage, allowing a local attacker with user-level access to retrieve plaintext or weakly protected admin credentials from the browser cache. An attacker who gains access to a workstation where an administrator has used LAPSWebUI can escalate privileges to local administrator by exploiting this caching behavior. While the CVSS score is moderate at 6.0, the practical impact is high because successful exploitation directly enables privilege escalation to administrative access.
LAPSWebUI before version 2.4 contains a non-functional logout mechanism that allows an authenticated local attacker to obtain elevated privileges through disclosure of cached local administrator passwords. An attacker with existing workstation access and low privileges can exploit this flaw to escalate to local admin by recovering credentials that should have been cleared upon session termination. The vulnerability carries a CVSS v4.0 score of 6.0 (Medium) with local attack vector and requires prior login plus user interaction, though the confidentiality impact on sensitive credentials is marked as high.
Insufficient Session Expiration in Truesec's LAPSWebUI before version 2.4 allows local attackers with user-level privileges to obtain local administrator passwords through inadequate session management controls. An attacker with physical or logical access to a workstation can exploit this vulnerability to escalate privileges and disclose sensitive credentials, potentially compromising domain administration. This vulnerability represents a practical privilege escalation risk in environments relying on LAPS (Local Administrator Password Solution) for credential management.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.
A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe).
Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions.