Privilege Escalation
Monthly
WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie values to gain admin privileges. PoC available.
CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. [CVSS 8.4 HIGH]
A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). [CVSS 7.8 HIGH]
A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. [CVSS 8.8 HIGH]
A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. [CVSS 8.8 HIGH]
SAP Fiori App Intercompany Balance Reconciliation fails to enforce proper authorization controls, allowing authenticated users to escalate privileges and access or modify sensitive data they should not have permission to view. An attacker with valid credentials can exploit missing access checks to compromise the confidentiality and integrity of financial reconciliation data. No patch is currently available for this vulnerability.
Hana Database versions up to 2.00 is affected by missing authentication for critical function (CVSS 8.8).
ServiceNow AI Platform has a user impersonation vulnerability allowing unauthenticated attackers to impersonate any user and perform their authorized actions. ServiceNow has deployed patches to hosted instances and self-hosted updates are available.
Automai Director v25.2.0 allows authenticated users to escalate to full administrative privileges with scope change (CVSS 9.9). Low-privileged users can take complete control of the automation platform.
Kace Desktop Authority versions up to 11.3.1 is affected by incorrect default permissions (CVSS 5.3).
Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. [CVSS 8.8 HIGH]
OpenProject versions prior to 16.6.2 fail to implement rate-limiting on the unauthenticated password-change endpoint, allowing attackers to conduct brute-force attacks against known user accounts without triggering lockout mechanisms. An attacker can systematically guess passwords using common wordlists and achieve full account compromise, potentially escalating privileges depending on the victim's role within the application. A patch is available in version 16.6.2.
An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format [CVSS 5.3 MEDIUM]
An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request [CVSS 6.5 MEDIUM]
Frontend Admin by DynamiApps WordPress plugin (through 3.28.25) allows unauthenticated privilege escalation to administrator via insufficient role validation. Attackers can register as admins and take full control of the site.
Mf258K Pro Firmware versions up to zte_mf258kpro_play_v1.0.0b03 is affected by improper privilege management (CVSS 4.3).
Panda Wireless PWRU0 devices (firmware 2.2.9) expose WAN, LAN, and wireless configuration endpoints without authentication. Remote attackers can modify all network settings. PoC available.
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted credentials by exploiting a flawed deny_only check in the IAM system. PoC available, patch available.
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.
Arbitrary code execution in PIONEER CORPORATION product installers through DLL search path manipulation allows local attackers with user interaction to execute malicious code with installer privileges. The vulnerability affects multiple products and requires user interaction to trigger, potentially compromising system integrity during software installation. No patch is currently available.
NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. [CVSS 9.8 CRITICAL]
The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions
A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. [CVSS 6.1 MEDIUM]
Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 8.8 HIGH]
Optional Email plugin for WordPress (through 1.3.11) has a privilege escalation via a filter that leaks predictable password reset keys. The 'random_password' filter affects not just registration but also password reset key generation, making reset tokens guessable.
Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. [CVSS 8.8 HIGH]
H3C wireless controllers (M102G) and access points (BA1500L) have a vsftpd misconfiguration that grants root ownership to anonymously uploaded FTP files. Attackers can upload malicious files that execute with root privileges, gaining full device control.
AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.
TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. [CVSS 8.8 HIGH]
Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application, version(s) versions 5.26 to 5.30, contain(s) an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. [CVSS 6.4 MEDIUM]
FS Registration Password plugin for WordPress (through 1.0.1) allows unauthenticated password resets for any user. Same vulnerability class as CVE-2025-14996 (AS Password Field) – missing identity verification before password change.
AS Password Field plugin for WordPress (through 2.0.0) allows unauthenticated password resets for any user without identity verification. Like CVE-2025-14998 (Branda), this enables immediate administrator account takeover.
An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]
In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In seninf, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]
In mminfra, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In c2ps, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 7.8).
In KeyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Download Manager (WordPress plugin) versions up to 3.3.40. contains a security vulnerability (CVSS 7.3).
A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. [CVSS 7.5 HIGH]
The Branda WordPress plugin (through 3.4.24) allows unauthenticated attackers to reset any user's password without identity verification, enabling account takeover including administrator accounts. Full site compromise is one password reset away.
Privilege escalation in Eclipse BlueChi, the multi-node systemd service controller used in Red Hat In-Vehicle Operating System (RHIVOS), allows a user holding root on a managed quality-managed (qm) node to write or override systemd service unit files that execute on the controlling host node. Because BlueChi did not deny cross-node proxy/dependency requests by default, a compromised lower-trust node could pivot to the host, leading to unauthorized service execution and full host compromise (CWE-863, Incorrect Authorization). Red Hat scored it 7.2 (High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Linux kernel Landlock security module fails to properly enforce access controls on disconnected directories (files or directories visible through bind mounts but inaccessible from the mount point after rename/move operations), potentially widening access rights and causing inconsistent access results when sandboxed tasks interact with such paths. The vulnerability affects the Landlock mandatory access control framework's ability to prevent privilege escalation through filesystem operations on out-of-scope paths, requiring the sandboxed task to already possess write access to the bind mount source and read access to the mount point to trigger the issue.
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.
Incorrect Privilege Assignment vulnerability in e-plugins Hotel Listing hotel-listing allows Privilege Escalation.This issue affects Hotel Listing: from n/a through <= 1.4.0.
HiSecOS 04.0.01 contains a privilege escalation vulnerability that allows authenticated users to modify their access role through XML-based NETCONF configuration. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Local privilege escalation in Apple operating systems (iOS, iPadOS, macOS Tahoe, visionOS, watchOS) allows authenticated applications to bypass payment token access restrictions and obtain sensitive payment credentials. The vulnerability affects all versions prior to the 26.2 release across affected platforms. CVSS 5.5 with low real-world exploitation risk (EPSS 0.01%), no public exploit identified, not listed in CISA KEV.
Linux kernel binfmt_misc module fails to restore write access to executable files when error handling closes improperly opened file descriptors, potentially causing subsequent write operations on the same file to fail and creating a denial-of-service condition for legitimate file modifications. The vulnerability affects the bm_register_write() function which uses open_exec() to open executable files with intentionally denied write permissions, but does not call exe_file_allow_write_access() before closing the file on error paths. With an EPSS score of 0.03% (8th percentile), this represents a low exploitation probability; no public exploit has been identified at time of analysis.
Keycloak's admin API endpoints for authorization resource management contain an IDOR vulnerability allowing authenticated administrators with fine-grained permissions for one client to delete or modify resources belonging to other clients within the same realm. The flaw exists in ResourceSetService and PermissionTicketService where authorization checks validate the resourceServer (client) ID from the API request, but backend database operations use only the resourceId, creating a permission bypass. Affected administrators can exploit this with standard HTTP requests to cross-client resource boundaries; no public exploit code identified at time of analysis.
Local privilege escalation to root on Apple platforms via integer overflow in timestamp handling allows authenticated users with low-level access to fully compromise system integrity and confidentiality. Affects iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS prior to February 2025 security updates. Vendor-released patches available across all platforms. EPSS probability is minimal (0.02%, 4th percentile), and no public exploit identified at time of analysis, though the local attack vector with low complexity and authenticated requirement reduces remote exploitation risk but creates insider threat exposure.
Local privilege escalation in macOS Sequoia (pre-15.7.3) and macOS Tahoe (pre-26.2) allows authenticated users with low-level privileges to gain root access via a permissions flaw. Apple addressed the issue with additional restrictions in the latest updates. EPSS score of 0.01% indicates minimal observed exploitation activity, and no public exploit identified at time of analysis.
Local privilege escalation in Apple macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x) and iOS/iPadOS 18.x allows authenticated users to gain elevated system privileges through malicious applications exploiting a logic flaw in privilege checking mechanisms. Apple has released patches across all affected platforms (iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, Sonoma 14.8.3, Tahoe 26.2). No public exploit identified at time of analysis, with EPSS score of 0.01% (3rd percentile) indicating minimal observed exploitation activity.
macOS launch constraint bypass enables authenticated local users to execute code with elevated privileges on macOS Sequoia (up to 15.7.2) and macOS Tahoe (pre-26). The vulnerability requires low-complexity exploitation by a user with existing local access, allowing them to circumvent Apple's launch constraint security framework and achieve full system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis, with EPSS indicating only 0.02% probability of exploitation in the wild (5th percentile).
Physical access to SolarEdge SE3680H solar inverters allows privilege escalation, remote code execution, and information disclosure through unpatched Linux kernel vulnerabilities. Reported by DIVD CSIRT, this affects SE3680H firmware running outdated kernel subsystems. While CVSS 4.0 scores 7.0 with physical attack vector (AV:P), the presence of RCE and privilege escalation tags indicates high impact once physical proximity is achieved. No EPSS score, KEV listing, or public exploit identified at time of analysis, suggesting limited current exploitation risk for typical deployment scenarios.
Privilege escalation in Nebim V3 ERP versions 2.0.59 through 3.0.0 lets an authenticated database-level attacker pivot from SQL access to operating-system control because the application stack executes with unnecessary privileges (CWE-250). Reported through Turkey's USOM/CERT-TR (advisory TR-25-0450), the issue carries CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:H), and there is no public exploit identified at time of analysis, with EPSS at 0.09% (26th percentile).
A command injection vulnerability in gardenctl allows attackers with administrative privileges in a Gardener project to inject malicious commands through crafted credential values when non-POSIX shells (Fish, PowerShell) are used by service operators. The vulnerability affects gardenctl versions 2.11.0 and below, enabling attackers to break out of string contexts and execute arbitrary commands with potentially high impact on confidentiality, integrity, and availability. With an EPSS score of only 0.06% and no known exploitation in the wild or public POC, this represents a lower real-world risk despite the high CVSS score of 8.4.
Local privilege escalation in the sd command-line find-and-replace utility (versions 1.0.0 and earlier, by chmln) allows a local attacker to gain root privileges through a crafted command. The flaw stems from incorrect privilege assignment (CWE-266) and is exploitable locally with no authentication indicated by the CVSS vector (PR:N), yielding full confidentiality, integrity, and availability compromise. Publicly available exploit code exists (proof-of-concept gist), though the EPSS score is low at 0.18% (8th percentile), and the CVE is not listed in CISA KEV.
Bitdefender Total Security, Antivirus, Internet Security, and Endpoint Security Tools prior to version 27.0.47.241 allow local attackers with low privileges to execute arbitrary code as SYSTEM through a complex attack chain. The bdservicehost.exe service deletes files from C:\ProgramData\Atc\Feedback without validating symbolic links (CWE-59), enabling arbitrary file deletion that attackers chain with network-triggered file copy operations and filter driver bypass via DLL injection to achieve full privilege escalation. EPSS indicates 0.02% exploitation probability (6th percentile), and no public exploit code or active exploitation has been identified at time of analysis. Vendor has released patches addressing this multi-stage local escalation vector.
Privilege escalation in NomySoft Nomysem (versions through May 2025) allows remote attackers with low privileges to gain elevated rights by abusing improperly used privileged APIs. The CVSS 7.1 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis tempers immediate risk despite the high impact ceiling.
Privilege escalation in Mozilla Firefox and Thunderbird Netmonitor component allows remote attackers to execute arbitrary code with elevated privileges when users interact with malicious content. Affects Firefox versions prior to 146, Firefox ESR prior to 140.6, Thunderbird prior to 146, and Thunderbird ESR prior to 140.6. Mozilla released patches in January 2025 across all product lines. EPSS score of 0.07% (22nd percentile) indicates low current exploitation probability, with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis. CVSS 8.8 reflects the high impact potential despite requiring user interaction.
Privilege escalation in Mozilla Firefox and Thunderbird's Netmonitor component allows unauthenticated remote attackers to gain elevated privileges via user interaction. Affects Firefox <146, Firefox ESR <140.6, Thunderbird <146, and Thunderbird ESR <140.6. With an 8.8 CVSS score but only 0.07% EPSS (22nd percentile), no public exploit identified at time of analysis, and vendor-released patches available. Not listed in CISA KEV, indicating no confirmed active exploitation.
Privilege escalation in Mozilla Firefox and Thunderbird's DOM Notifications component enables unauthenticated remote attackers to achieve high-severity impacts (confidentiality, integrity, availability) via user interaction. Affects Firefox <146, Firefox ESR <115.31 and <140.6, Thunderbird <146 and <140.6. EPSS exploitation probability is low (0.08%, 23rd percentile), and no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. Vendor-released patches are available across all affected product lines.
Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.
In multiple locations of UsbDataAdvancedProtectionHook.java, there is a possible way to access USB data when the screen is off due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48606 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.
In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available.
In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48629 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.
WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie values to gain admin privileges. PoC available.
CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. [CVSS 8.4 HIGH]
A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). [CVSS 7.8 HIGH]
A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. [CVSS 8.8 HIGH]
A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. [CVSS 8.8 HIGH]
SAP Fiori App Intercompany Balance Reconciliation fails to enforce proper authorization controls, allowing authenticated users to escalate privileges and access or modify sensitive data they should not have permission to view. An attacker with valid credentials can exploit missing access checks to compromise the confidentiality and integrity of financial reconciliation data. No patch is currently available for this vulnerability.
Hana Database versions up to 2.00 is affected by missing authentication for critical function (CVSS 8.8).
ServiceNow AI Platform has a user impersonation vulnerability allowing unauthenticated attackers to impersonate any user and perform their authorized actions. ServiceNow has deployed patches to hosted instances and self-hosted updates are available.
Automai Director v25.2.0 allows authenticated users to escalate to full administrative privileges with scope change (CVSS 9.9). Low-privileged users can take complete control of the automation platform.
Kace Desktop Authority versions up to 11.3.1 is affected by incorrect default permissions (CVSS 5.3).
Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. [CVSS 8.8 HIGH]
OpenProject versions prior to 16.6.2 fail to implement rate-limiting on the unauthenticated password-change endpoint, allowing attackers to conduct brute-force attacks against known user accounts without triggering lockout mechanisms. An attacker can systematically guess passwords using common wordlists and achieve full account compromise, potentially escalating privileges depending on the victim's role within the application. A patch is available in version 16.6.2.
An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format [CVSS 5.3 MEDIUM]
An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request [CVSS 6.5 MEDIUM]
Frontend Admin by DynamiApps WordPress plugin (through 3.28.25) allows unauthenticated privilege escalation to administrator via insufficient role validation. Attackers can register as admins and take full control of the site.
Mf258K Pro Firmware versions up to zte_mf258kpro_play_v1.0.0b03 is affected by improper privilege management (CVSS 4.3).
Panda Wireless PWRU0 devices (firmware 2.2.9) expose WAN, LAN, and wireless configuration endpoints without authentication. Remote attackers can modify all network settings. PoC available.
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted credentials by exploiting a flawed deny_only check in the IAM system. PoC available, patch available.
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.
Arbitrary code execution in PIONEER CORPORATION product installers through DLL search path manipulation allows local attackers with user interaction to execute malicious code with installer privileges. The vulnerability affects multiple products and requires user interaction to trigger, potentially compromising system integrity during software installation. No patch is currently available.
NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. [CVSS 9.8 CRITICAL]
The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions
A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. [CVSS 6.1 MEDIUM]
Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 8.8 HIGH]
Optional Email plugin for WordPress (through 1.3.11) has a privilege escalation via a filter that leaks predictable password reset keys. The 'random_password' filter affects not just registration but also password reset key generation, making reset tokens guessable.
Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. [CVSS 8.8 HIGH]
H3C wireless controllers (M102G) and access points (BA1500L) have a vsftpd misconfiguration that grants root ownership to anonymously uploaded FTP files. Attackers can upload malicious files that execute with root privileges, gaining full device control.
AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.
TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. [CVSS 8.8 HIGH]
Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application, version(s) versions 5.26 to 5.30, contain(s) an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. [CVSS 6.4 MEDIUM]
FS Registration Password plugin for WordPress (through 1.0.1) allows unauthenticated password resets for any user. Same vulnerability class as CVE-2025-14996 (AS Password Field) – missing identity verification before password change.
AS Password Field plugin for WordPress (through 2.0.0) allows unauthenticated password resets for any user without identity verification. Like CVE-2025-14998 (Branda), this enables immediate administrator account takeover.
An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]
In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In seninf, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]
In mminfra, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In c2ps, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 7.8).
In KeyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Download Manager (WordPress plugin) versions up to 3.3.40. contains a security vulnerability (CVSS 7.3).
A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. [CVSS 7.5 HIGH]
The Branda WordPress plugin (through 3.4.24) allows unauthenticated attackers to reset any user's password without identity verification, enabling account takeover including administrator accounts. Full site compromise is one password reset away.
Privilege escalation in Eclipse BlueChi, the multi-node systemd service controller used in Red Hat In-Vehicle Operating System (RHIVOS), allows a user holding root on a managed quality-managed (qm) node to write or override systemd service unit files that execute on the controlling host node. Because BlueChi did not deny cross-node proxy/dependency requests by default, a compromised lower-trust node could pivot to the host, leading to unauthorized service execution and full host compromise (CWE-863, Incorrect Authorization). Red Hat scored it 7.2 (High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Linux kernel Landlock security module fails to properly enforce access controls on disconnected directories (files or directories visible through bind mounts but inaccessible from the mount point after rename/move operations), potentially widening access rights and causing inconsistent access results when sandboxed tasks interact with such paths. The vulnerability affects the Landlock mandatory access control framework's ability to prevent privilege escalation through filesystem operations on out-of-scope paths, requiring the sandboxed task to already possess write access to the bind mount source and read access to the mount point to trigger the issue.
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.
Incorrect Privilege Assignment vulnerability in e-plugins Hotel Listing hotel-listing allows Privilege Escalation.This issue affects Hotel Listing: from n/a through <= 1.4.0.
HiSecOS 04.0.01 contains a privilege escalation vulnerability that allows authenticated users to modify their access role through XML-based NETCONF configuration. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Local privilege escalation in Apple operating systems (iOS, iPadOS, macOS Tahoe, visionOS, watchOS) allows authenticated applications to bypass payment token access restrictions and obtain sensitive payment credentials. The vulnerability affects all versions prior to the 26.2 release across affected platforms. CVSS 5.5 with low real-world exploitation risk (EPSS 0.01%), no public exploit identified, not listed in CISA KEV.
Linux kernel binfmt_misc module fails to restore write access to executable files when error handling closes improperly opened file descriptors, potentially causing subsequent write operations on the same file to fail and creating a denial-of-service condition for legitimate file modifications. The vulnerability affects the bm_register_write() function which uses open_exec() to open executable files with intentionally denied write permissions, but does not call exe_file_allow_write_access() before closing the file on error paths. With an EPSS score of 0.03% (8th percentile), this represents a low exploitation probability; no public exploit has been identified at time of analysis.
Keycloak's admin API endpoints for authorization resource management contain an IDOR vulnerability allowing authenticated administrators with fine-grained permissions for one client to delete or modify resources belonging to other clients within the same realm. The flaw exists in ResourceSetService and PermissionTicketService where authorization checks validate the resourceServer (client) ID from the API request, but backend database operations use only the resourceId, creating a permission bypass. Affected administrators can exploit this with standard HTTP requests to cross-client resource boundaries; no public exploit code identified at time of analysis.
Local privilege escalation to root on Apple platforms via integer overflow in timestamp handling allows authenticated users with low-level access to fully compromise system integrity and confidentiality. Affects iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS prior to February 2025 security updates. Vendor-released patches available across all platforms. EPSS probability is minimal (0.02%, 4th percentile), and no public exploit identified at time of analysis, though the local attack vector with low complexity and authenticated requirement reduces remote exploitation risk but creates insider threat exposure.
Local privilege escalation in macOS Sequoia (pre-15.7.3) and macOS Tahoe (pre-26.2) allows authenticated users with low-level privileges to gain root access via a permissions flaw. Apple addressed the issue with additional restrictions in the latest updates. EPSS score of 0.01% indicates minimal observed exploitation activity, and no public exploit identified at time of analysis.
Local privilege escalation in Apple macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x) and iOS/iPadOS 18.x allows authenticated users to gain elevated system privileges through malicious applications exploiting a logic flaw in privilege checking mechanisms. Apple has released patches across all affected platforms (iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, Sonoma 14.8.3, Tahoe 26.2). No public exploit identified at time of analysis, with EPSS score of 0.01% (3rd percentile) indicating minimal observed exploitation activity.
macOS launch constraint bypass enables authenticated local users to execute code with elevated privileges on macOS Sequoia (up to 15.7.2) and macOS Tahoe (pre-26). The vulnerability requires low-complexity exploitation by a user with existing local access, allowing them to circumvent Apple's launch constraint security framework and achieve full system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis, with EPSS indicating only 0.02% probability of exploitation in the wild (5th percentile).
Physical access to SolarEdge SE3680H solar inverters allows privilege escalation, remote code execution, and information disclosure through unpatched Linux kernel vulnerabilities. Reported by DIVD CSIRT, this affects SE3680H firmware running outdated kernel subsystems. While CVSS 4.0 scores 7.0 with physical attack vector (AV:P), the presence of RCE and privilege escalation tags indicates high impact once physical proximity is achieved. No EPSS score, KEV listing, or public exploit identified at time of analysis, suggesting limited current exploitation risk for typical deployment scenarios.
Privilege escalation in Nebim V3 ERP versions 2.0.59 through 3.0.0 lets an authenticated database-level attacker pivot from SQL access to operating-system control because the application stack executes with unnecessary privileges (CWE-250). Reported through Turkey's USOM/CERT-TR (advisory TR-25-0450), the issue carries CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:H), and there is no public exploit identified at time of analysis, with EPSS at 0.09% (26th percentile).
A command injection vulnerability in gardenctl allows attackers with administrative privileges in a Gardener project to inject malicious commands through crafted credential values when non-POSIX shells (Fish, PowerShell) are used by service operators. The vulnerability affects gardenctl versions 2.11.0 and below, enabling attackers to break out of string contexts and execute arbitrary commands with potentially high impact on confidentiality, integrity, and availability. With an EPSS score of only 0.06% and no known exploitation in the wild or public POC, this represents a lower real-world risk despite the high CVSS score of 8.4.
Local privilege escalation in the sd command-line find-and-replace utility (versions 1.0.0 and earlier, by chmln) allows a local attacker to gain root privileges through a crafted command. The flaw stems from incorrect privilege assignment (CWE-266) and is exploitable locally with no authentication indicated by the CVSS vector (PR:N), yielding full confidentiality, integrity, and availability compromise. Publicly available exploit code exists (proof-of-concept gist), though the EPSS score is low at 0.18% (8th percentile), and the CVE is not listed in CISA KEV.
Bitdefender Total Security, Antivirus, Internet Security, and Endpoint Security Tools prior to version 27.0.47.241 allow local attackers with low privileges to execute arbitrary code as SYSTEM through a complex attack chain. The bdservicehost.exe service deletes files from C:\ProgramData\Atc\Feedback without validating symbolic links (CWE-59), enabling arbitrary file deletion that attackers chain with network-triggered file copy operations and filter driver bypass via DLL injection to achieve full privilege escalation. EPSS indicates 0.02% exploitation probability (6th percentile), and no public exploit code or active exploitation has been identified at time of analysis. Vendor has released patches addressing this multi-stage local escalation vector.
Privilege escalation in NomySoft Nomysem (versions through May 2025) allows remote attackers with low privileges to gain elevated rights by abusing improperly used privileged APIs. The CVSS 7.1 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis tempers immediate risk despite the high impact ceiling.
Privilege escalation in Mozilla Firefox and Thunderbird Netmonitor component allows remote attackers to execute arbitrary code with elevated privileges when users interact with malicious content. Affects Firefox versions prior to 146, Firefox ESR prior to 140.6, Thunderbird prior to 146, and Thunderbird ESR prior to 140.6. Mozilla released patches in January 2025 across all product lines. EPSS score of 0.07% (22nd percentile) indicates low current exploitation probability, with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis. CVSS 8.8 reflects the high impact potential despite requiring user interaction.
Privilege escalation in Mozilla Firefox and Thunderbird's Netmonitor component allows unauthenticated remote attackers to gain elevated privileges via user interaction. Affects Firefox <146, Firefox ESR <140.6, Thunderbird <146, and Thunderbird ESR <140.6. With an 8.8 CVSS score but only 0.07% EPSS (22nd percentile), no public exploit identified at time of analysis, and vendor-released patches available. Not listed in CISA KEV, indicating no confirmed active exploitation.
Privilege escalation in Mozilla Firefox and Thunderbird's DOM Notifications component enables unauthenticated remote attackers to achieve high-severity impacts (confidentiality, integrity, availability) via user interaction. Affects Firefox <146, Firefox ESR <115.31 and <140.6, Thunderbird <146 and <140.6. EPSS exploitation probability is low (0.08%, 23rd percentile), and no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. Vendor-released patches are available across all affected product lines.
Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.
In multiple locations of UsbDataAdvancedProtectionHook.java, there is a possible way to access USB data when the screen is off due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48606 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.
In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available.
In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48629 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.