Skip to main content

Privilege Escalation

13276 CVEs technique

Monthly

CVE-2026-13228 HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-11387 CRITICAL Act Now

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.

Authentication Bypass WordPress Privilege Escalation Sms Alert Sms Otp For Woocommerce Order Notifications Abandoned Cart Recovery
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-12224 HIGH This Week

Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. No public exploit has been identified at time of analysis, and no EPSS or KEV signals were supplied; however, the issue is reported by Wordfence and exploitation is straightforward on sites where the Vendor Staff module is enabled and vendor self-registration is permitted.

Privilege Escalation WordPress Dokan Pro
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-20463 MEDIUM This Month

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System-level access to bypass permission enforcement (CWE-280) and escalate further within the device. The vulnerability is confirmed by MediaTek in their July 2026 Product Security Bulletin (Patch ID: MOLY01716533, Issue ID: MSV-6309) and affects a broad swath of chipsets spanning low-end to flagship tiers. No user interaction is required for exploitation, but the prerequisite of System-level access significantly constrains the realistic attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis.

Privilege Escalation Mediatek Chipset
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-20462 MEDIUM This Month

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Android devices, delivering full confidentiality, integrity, and availability impact. Twenty-two specific MediaTek SoC variants are confirmed affected, spanning the MT6xxx and MT8xxx mid-range and budget families. No public exploit has been identified at time of analysis; MediaTek has issued patch ALPS11006447 via their July 2026 security bulletin, but exploitation requires a pre-existing System-level privilege on the device, making this a chaining vulnerability rather than a standalone entry vector.

Privilege Escalation Heap Overflow Buffer Overflow Mediatek Chipset
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-20458 HIGH This Week

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a rogue base station to corrupt modem memory via a missing bounds check (out-of-bounds write, CWE-787). Once a target UE camps on the attacker-controlled cell, exploitation requires no user interaction and no pre-existing privileges, potentially yielding privilege escalation within the modem subsystem. Tracked in MediaTek's July 2026 Product Security Bulletin (Patch ID MOLY01402160); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Privilege Escalation Buffer Overflow Mediatek Chipset
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14124 HIGH PATCH This Week

OS-level privilege escalation in Google Chrome for Windows before 150.0.7871.47 lets a local attacker leverage an inappropriate implementation in the CredentialProvider component to elevate privileges via a malicious file. Exploitation requires local access plus user interaction (UI:R), and though Google rated the Chromium security severity 'Low', the CVSS 3.1 base score is 7.8 (High) due to full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low at 0.11% (2nd percentile).

Privilege Escalation Microsoft Google Suse
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14115 HIGH PATCH This Week

Privilege escalation in Google Chrome's Cast component before 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to escape renderer-level restrictions and gain higher privileges via a crafted HTML page. Rated Low severity by Chromium despite a 7.5 CVSS, it functions as a second-stage sandbox-escape primitive rather than a standalone initial-access bug. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile), indicating minimal near-term mass-exploitation risk.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14094 HIGH PATCH This Week

Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14078 HIGH PATCH This Week

Privilege escalation in Google Chrome's WebRTC component (versions prior to 150.0.7871.47) allows a remote attacker to escape normal renderer restrictions when a victim opens a crafted HTML page, per the CVSS vector achieving high confidentiality, integrity, and availability impact. Exploitation requires user interaction (visiting a malicious page) but no prior authentication. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 7th percentile); notably, Google/Chromium rated this 'Low' severity while the NVD CVSS is 8.8 (High), a discrepancy defenders should weigh.

Privilege Escalation Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14060 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows before 150.0.7871.47 allows a local attacker who plants a malicious file to elevate privileges after the victim interacts with it. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a 7.8 CVSS but was rated Low severity by Chromium's own team. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.13%, 3rd percentile), consistent with a local, interaction-dependent issue rather than a mass-exploitable one.

Privilege Escalation Microsoft Google Suse
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14041 HIGH PATCH This Week

Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Serial (Web Serial API) component, allowing a remote attacker who lures a victim to a crafted HTML page to escalate privileges within the browser. Note the signal conflict: NVD scores this 8.8 (High) with high confidentiality/integrity/availability impact, yet Chromium's own triage rates the security severity as Low. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS is very low at 0.17% (7th percentile).

Privilege Escalation Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14036 HIGH PATCH This Week

Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Bluetooth subsystem, letting a remote attacker who lures a victim to a crafted HTML page cross a security boundary the browser is supposed to guard. Google's Chrome release channel and the NVD-assigned CVSS 3.1 base score of 8.8 (High) diverge from Chromium's own internal 'Low' severity rating, signaling the practical impact is likely narrower than the raw score implies. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.17% (7th percentile), consistent with no active exploitation reported.

Privilege Escalation Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14018 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on Windows (versions prior to 150.0.7871.47) allows a local attacker to escalate to OS-level privileges via a malicious file that triggers a use-after-free condition. Google rates the Chromium security severity as Medium, though the CVSS base score is 7.8 (High) because the Updater runs with elevated (SYSTEM) privileges. There is no public exploit identified at time of analysis and EPSS is very low (0.11%, 1st percentile), indicating negligible observed exploitation activity.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13928 HIGH PATCH This Week

Insufficient validation of untrusted input in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13927 HIGH PATCH This Week

Insufficient validation of untrusted input in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13903 HIGH PATCH This Week

Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13897 HIGH PATCH This Week

Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Authentication Bypass Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13891 HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions component (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out via a crafted HTML page. Rated Medium by Chromium and CVSS 7.5, it stems from insufficient validation of untrusted input (CWE-20) and requires user interaction plus a pre-existing renderer foothold. There is no public exploit identified at time of analysis, EPSS is low (0.22%, 12th percentile), and it is not on CISA KEV.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13864 HIGH PATCH This Week

Privilege escalation in Google Chrome desktop prior to 150.0.7871.47 stems from insufficient policy enforcement in the WebHID subsystem, letting a maliciously crafted extension escape its intended boundaries and gain elevated access to human-interface devices and browser privileges. Exploitation first requires convincing a victim to install the malicious extension, after which a crafted Chrome Extension bypasses WebHID access controls. Chromium rates the issue Medium; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.13%, 3rd percentile).

Authentication Bypass Privilege Escalation Google Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-13863 HIGH PATCH This Week

Privilege escalation in Google Chrome for Android (CustomTabs) prior to 150.0.7871.47 allows a local attacker to escalate privileges by supplying a malicious file that CustomTabs fails to validate properly. Google rates the Chromium severity as Medium, and the requirement for user interaction plus local access limits remote mass exploitation. No public exploit has been identified at time of analysis and the EPSS score is very low (0.13%, 3rd percentile), so opportunistic exploitation appears unlikely.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13856 HIGH PATCH This Week

Privilege escalation in Google Chrome for Android before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out further by feeding a crafted HTML page into the Speech component, which fails to validate untrusted input (CWE-20). Google rated it Medium severity; a fix has shipped in the Stable channel, EPSS is low (0.21%, 11th percentile), and there is no public exploit identified at time of analysis. This is a sandbox-escape-class chaining bug rather than a standalone remote drive-by, since it presupposes a prior renderer compromise.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13844 HIGH PATCH This Week

Local OS-level privilege escalation in Google Chrome on Windows (versions prior to 150.0.7871.47) arises from a use-after-free in the Chrome Updater component, letting a local attacker who can plant a malicious file on the system elevate to higher OS privileges. Google rates the Chromium severity as High and has released a fixed Stable channel build; there is no public exploit identified and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with a bug that requires local access and user interaction rather than mass remote exploitation.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13827 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on macOS versions prior to 150.0.7871.47 lets an attacker abuse a use-after-free (CWE-416) via a malicious file to gain the elevated privileges under which the updater runs. Google rates the Chromium severity as High, and the CVSS 3.1 base score is 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with the SSVC exploitation status of 'none'.

Memory Corruption Google Denial Of Service Use After Free Privilege Escalation +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13824 HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions subsystem before version 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of that context and gain elevated privileges by delivering a crafted HTML page. Google rates the Chromium severity as High, and the assigned CVSS is 7.5 (AV:N/AC:H). There is no public exploit identified at time of analysis, EPSS is low (0.21%, 11th percentile), and CISA's SSVC framework records exploitation status as none, indicating this is currently a patch-and-move-on issue rather than an active threat.

Privilege Escalation Google Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13800 HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft Google Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57995 HIGH PATCH This Week

Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding the GROUP_EDIT right elevate to full administrative control. Because GroupController::updatePermissions never verifies that the caller already possesses the permissions being assigned, a low-privileged admin can grant high-value rights to a group they belong to and inherit those rights. The flaw was reported by VulnCheck; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Phpmyfaq
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56233 HIGH PATCH This Week

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a path-traversal flaw in the builder upload proxy to reach internal administrative endpoints. By appending traversal sequences to the upload path - which the WHATWG URL parser normalizes - an attacker pivots requests carrying the privileged BUILDER_API_KEY header, turning limited build access into SSRF and elevated server-side privileges. Reported by VulnCheck with a CVSS 4.0 score of 8.7; no public exploit identified at time of analysis.

Privilege Escalation Path Traversal Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-8864 HIGH PATCH This Week

Local privilege escalation in the HP Fan Control App lets a low-privileged local user gain SYSTEM/administrator-level execution on affected HP endpoints. The flaw stems from CWE-428 (Unquoted Search Path or Element), a classic Windows weakness where a privileged service or process resolves an executable or library from an attacker-controllable path. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; EPSS data was not provided.

HP Privilege Escalation Hp Fan Control App
NVD
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-49451 NuGet HIGH PATCH GHSA This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE Privilege Escalation Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-58165 HIGH POC PATCH This Week

Privilege escalation in OpenZiti through 2.0.0 lets an authenticated non-admin identity that holds fine-grained enrollment-management permissions mint an enrollment for any identity - including the built-in default administrator - and then redeem the resulting one-time token via the unauthenticated client enrollment API to receive a client certificate that authenticates as that admin, granting full control of the controller and the entire zero-trust overlay. The root cause is a missing authorization check (CWE-862) in the enrollment creation path. Publicly available exploit details exist (reported by VulnCheck, GitHub issue #4010) and a vendor fix is available; no public exploit identified as actively used at time of analysis.

Authentication Bypass Privilege Escalation Ziti
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-4629 MEDIUM This Month

Privilege escalation in Red Hat Build of Keycloak allows an operator holding the manage-clients permission to inject a hardcoded role mapper into any client configuration, causing the realm-admin role to appear in subsequently issued tokens. This effectively grants the attacker full administrative control over the entire Keycloak realm, overriding scope restrictions that are intended to prevent exactly this delegation boundary crossing. No active exploitation has been confirmed (not listed in CISA KEV), no public proof-of-concept has been identified at time of analysis, and no EPSS data was available; however, the high-impact nature of achieving realm-admin privileges makes this a meaningful insider or delegated-admin threat.

Privilege Escalation Red Hat Build Of Keycloak
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-7406 HIGH This Week

Local privilege escalation in Nokia MantaRay NM (network management) lets an attacker who already holds local administrative privileges abuse a misconfigured sudo command set to obtain full root access on the host, gaining complete control of the filesystem and arbitrary root command execution. The flaw was reported by Nokia and affects versions prior to NM 25R1-NM, with no public exploit identified at time of analysis and a low EPSS exploitation probability of 0.17%.

Privilege Escalation Nokia Mantaray Nm
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12610 MEDIUM This Month

Use-after-free in the SSSD PAM responder crashes the authentication daemon when a local attacker manipulates YubiKey or smartcard contents during an authentication attempt on Red Hat Enterprise Linux 6 through 10. The primary realized impact is a denial of service - the PAM responder crash disrupts all authentication - but the underlying memory corruption also presents a difficult-to-exploit privilege escalation path. No public exploit code exists at time of analysis, and the CVSS vector (AV:L/AC:H/PR:H) reflects a tightly constrained local attack requiring high privileges and significant complexity, limiting realistic blast radius to insider-threat and physical-access scenarios.

Privilege Escalation Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +6
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12073 CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation Profilegrid User Profiles Groups And Communities
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-58302 HIGH PATCH This Week

Local privilege escalation to root in LinuxCNC (linuxcnc-uspace) before 2.9.9 lets any unprivileged local user execute arbitrary code as root. The SUID-root rtapi_app helper accepts a user-supplied module name and passes it to dlopen() without sufficient validation, so path traversal lets an attacker load an arbitrary attacker-controlled shared library while the process is still privileged. No public exploit identified at time of analysis and the issue is not in CISA KEV; an upstream fix is available in version 2.9.9.

Privilege Escalation Path Traversal Linuxcnc
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-41052 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to improperly escalate their privileges beyond their assigned project scope, per advisory GHSA-vx8h-4prv-g744. Affected releases are 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.4 and scope-changing impact mean a successful escalation can compromise cluster-wide confidentiality, integrity, and availability.

Privilege Escalation Rancher
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-54371 HIGH PATCH This Week

Local privilege escalation in the attr package's getfattr and setfattr utilities (versions before 2.6.0) allows an attacker who controls a pathname component to swap it for a symbolic link during directory hierarchy traversal, redirecting attribute operations to arbitrary files. When these utilities are invoked by a privileged process over an attacker-influenced path, the attacker can read or write extended attributes on files outside their authority, leading to escalation to higher privileges. The flaw was reported by VulnCheck; no public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Acl
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-54370 HIGH PATCH This Week

Local privilege escalation in the Linux acl package (libacl/getfacl/setfacl/chacl) before version 2.4.0 lets an unprivileged local user who controls a component of a pathname win a TOCTOU race, redirecting privileged file-ACL operations to arbitrary files. By swapping a path component for a symlink between the lstat() validation and the follow-on stat()/chown()/chmod()/acl_get_file()/acl_set_file() calls, an attacker can manipulate ownership and ACLs on targets they should not control, yielding root-equivalent escalation. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is fixed upstream.

Privilege Escalation Acl
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-54369 HIGH PATCH Monitor

Local privilege escalation in the Linux acl utilities (libacl) before version 2.4.0 arises because the pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() follow symbolic links during ACL read/write operations. An attacker who controls any component of a pathname processed by a privileged caller can substitute a symlink to redirect ACL operations to arbitrary files, manipulating access control lists outside their authority. No public exploit identified at time of analysis, and the issue is not in CISA KEV; risk is gated on a privileged process operating on attacker-influenced paths.

Privilege Escalation Acl
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-25707 HIGH PATCH This Week

Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Path Traversal Denial Of Service Libzypp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-57919 HIGH This Week

Local privilege escalation in Matrix42 Empirum (versions before 25.5 and 26.x before 26.2) lets any authenticated low-privileged user gain SYSTEM execution by abusing the PBackupVSS.exe service's named pipe. The pipe \\.\pipe\PBackupVSS is created with an overly permissive DACL granting GENERIC_READ/GENERIC_WRITE to all authenticated users, so an attacker can send crafted IPC messages that drive the SYSTEM-level service into running an attacker-supplied shadow.exe from a controlled working directory. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation is mechanically straightforward once on the host.

Privilege Escalation N A
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-58054 HIGH POC This Week

Privilege escalation in MyBB 1.8.40 lets a limited Admin Control Panel (ACP) user who holds only the delegated user-management permission promote any account into the Administrators usergroup (gid 4), gaining the full Administrator permission set. The flaw stems from the user module exposing the Administrators group as an assignable option while the datahandler's verify_usergroup() unconditionally returns true, performing no authorization check on the target group. Publicly available exploit code exists (VulnCheck), though the issue is not listed in CISA KEV and has no public evidence of active exploitation.

Privilege Escalation Mybb
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-58053 CRITICAL POC PATCH Act Now

Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-execution rights break out to the host as root even when privileged mode is disabled. The runner passes a workflow's container.options string straight into the Docker job container's HostConfig and only forces the Privileged flag off, leaving dangerous options like --pid=host, --cap-add, and --security-opt intact. Publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV.

Privilege Escalation Gitea Docker Act Runner
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-49412 HIGH This Week

Local privilege escalation in the FreeBSD kernel arises from a use-after-free in the IPv6 multicast source-filter handler (IPV6_MSFILTER), affecting FreeBSD 14.3, 14.4, and 15.0 releases before their respective patch levels. An unprivileged local user can win a race against the handler's dropped-then-reacquired serializing lock to free the multicast filter structure out from under the kernel, corrupting memory to gain root-level control. There is no public exploit identified at time of analysis, and EPSS is very low (0.13%), consistent with CISA SSVC marking exploitation as 'none' and not automatable.

Memory Corruption Privilege Escalation Use After Free Freebsd
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-12415 CRITICAL POC Act Now

Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV.

Privilege Escalation WordPress Invoice Generator
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-55069 HIGH PATCH This Week

Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.

PostgreSQL Kubernetes Privilege Escalation Kestra
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2026-48790 Go MEDIUM POC PATCH GHSA This Month

Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.

Privilege Escalation Apple Docker
NVD GitHub
CVSS 3.1
5.5
CVE-2026-46710 HIGH PATCH This Week

Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local attacker gain the elevated privileges of the installer by planting a malicious powershell.exe. Because the installer calls powershell.exe by name (not absolute path) after setting the working directory to the installation contextMenu folder, a privileged user who installs into an attacker-writable custom directory triggers execution of the attacker's binary. No public exploit has been identified at time of analysis; the issue is fixed in 8.9.6 and corresponds to CWE-426 (Untrusted Search Path).

Privilege Escalation Notepad Plus Plus
NVD GitHub
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-53287 MEDIUM PATCH This Month

Silent audit trail corruption in the Linux kernel's capability auditing subsystem allows a local attacker who manipulates inheritable capabilities as a precursor to privilege escalation to have that manipulation go unrecorded in CAPSET audit logs since 2008. The `__audit_log_capset()` function records `cap_effective` into the `cap_pi` (inheritable) field due to a copy-paste error, meaning compliance and forensic systems receive falsified capability state that masks the inheritable-cap modification step of a privilege escalation chain. No public exploit has been identified at time of analysis, and the EPSS score of 0.18% (7th percentile) reflects that exploitation as a standalone attack is not observed in the wild.

Privilege Escalation Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-57518 HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation PHP Pagekit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-9640 HIGH PATCH This Week

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project operator in a restricted multi-tenant deployment to escape tenant confinement and obtain host root. Because project-restriction policies are not re-validated when an instance backup is imported and its snapshot restored, an operator can smuggle restricted configuration keys into a snapshot, restore them onto the live instance, and start it to gain unauthorized root on the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch and the fixing source code are available.

Authentication Bypass Privilege Escalation Lxd
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-56038 HIGH This Week

Privilege escalation in the Frisbii Pay (reepay-checkout-gateway) WordPress plugin through version 1.8.2 allows a low-privileged authenticated user holding a Contributor role to elevate to higher privileges due to a missing authorization check. Reported through Patchstack's audit program and tagged as both Authentication Bypass and Privilege Escalation, the flaw carries a CVSS 8.8 and full confidentiality, integrity, and availability impact, meaning a successful actor can effectively take administrative control of the affected WordPress site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56033 CRITICAL Act Now

Privilege escalation in Dokan Pro (the WordPress/WooCommerce multivendor marketplace plugin) versions 5.0.4 and earlier lets unauthenticated remote attackers gain elevated privileges, scoring CVSS:3.1 9.8 Critical via AV:N/AC:L/PR:N/UI:N with full confidentiality, integrity, and availability impact. The flaw is classed as CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants privileges it should not to an unauthenticated requester. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-56030 CRITICAL Act Now

Unauthenticated privilege escalation in the Paytium WordPress plugin (Mollie payment forms and donations) through version 5.0.2 allows remote attackers with no authentication to gain elevated privileges, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. The flaw stems from incorrect privilege assignment (CWE-266), meaning a low- or no-privilege actor can be granted rights they should not have. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-56028 CRITICAL Act Now

Privilege escalation in the Easy Elements for Elementor - Addons & Website Templates WordPress plugin (versions <= 1.4.9) allows remote attackers to gain elevated privileges without authentication, per the CVSS:3.1 vector (PR:N). Classified as CWE-266 (Incorrect Privilege Assignment) and rated CVSS 9.8 with full confidentiality, integrity, and availability impact, the flaw was reported by the Patchstack security team. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-56010 HIGH This Week

Privilege escalation in the Abandoned Cart Pro for WooCommerce plugin (versions <= 10.4.0) allows an authenticated low-privileged user (Subscriber) to elevate their own permissions and gain higher-privileged capabilities within the WordPress site. The flaw, reported by Patchstack and classified as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 8.8 and is network-exploitable with low complexity once an attacker holds any minimal account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-56008 HIGH This Week

Privilege escalation in the Fusion Builder WordPress plugin (versions 3.15.4 and earlier) lets a low-privileged authenticated user, such as a Contributor, gain capabilities far beyond their role and effectively act as an administrator. The flaw was reported by Patchstack and carries a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because Fusion Builder is the page builder bundled with the widely sold Avada theme, the exposure spans a large number of WordPress sites that allow self-registration or untrusted contributor accounts.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-45256 MEDIUM This Month

Signal delivery bypass in FreeBSD's thr_kill2(2) system call allows an unprivileged local user - or a jailed process - to send arbitrary signals to any process on the system, including root-owned processes and critical daemons, causing Denial of Service. The flaw stems from a missing check on the return value of p_cansignal(), the kernel's permission enforcement primitive: the signal is unconditionally delivered before the error is propagated to the caller. No public exploit has been identified at time of analysis and SSVC assesses exploitation as none, though globally sequential thread IDs reduce the skill requirement to simple brute force, and the jail boundary bypass adds a container-escape dimension absent from the base CVSS score.

Privilege Escalation Denial Of Service Freebsd
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-57924 MEDIUM PATCH This Month

Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.

Privilege Escalation Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48722 Maven MEDIUM PATCH GHSA This Month

Insecure default file permissions in Nextflow's `auth login` command expose Seqera Platform OIDC bearer tokens to any local user on shared POSIX systems running affected versions 25.09.2-edge through 26.04.1. The credential file `seqera-auth.config` is written via Java NIO without explicit permission bits, landing at mode 0644 under the typical umask 022, making it world-readable on HPC login nodes, shared workstations, and jump hosts - exactly the infrastructure where Nextflow is most commonly deployed. No public exploit has been identified at time of analysis and this vulnerability is not currently in the CISA KEV catalog, but the attack requires only a standard local account and trivial filesystem read, making it a practical lateral-movement primitive in multi-tenant research computing environments.

Privilege Escalation Java
NVD GitHub
CVSS 3.1
5.5
CVE-2026-40702 CRITICAL CISA Emergency

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).

Authentication Bypass Privilege Escalation Information Disclosure Evoke Csms
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-11800 HIGH PATCH This Week

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).

Privilege Escalation Jwt Attack Authentication Bypass Red Hat Build Of Keycloak 26 6 Red Hat Build Of Keycloak 26 6 4 +4
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-57520 HIGH POC PATCH This Week

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. Publicly available exploit code exists (VulnCheck/researcher write-up), it is not listed in CISA KEV, and no EPSS score was provided in the input.

Authentication Bypass Privilege Escalation Server
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-54573 MEDIUM PATCH This Month

API key scope bypass in Outline prior to 1.8.0 allows an authenticated attacker holding a limited-scope API key or OAuth token to perform actions on restricted endpoints by exploiting a URL fragment handling discrepancy. The `AuthenticationHelper.canAccess` function evaluates authorization against the fragment-appended URL path rather than the actual routed endpoint, enabling privilege escalation beyond the key's intended permissions. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity (PR:L, AC:L) makes this straightforward to exploit for any valid API key holder.

Authentication Bypass Privilege Escalation Outline
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-57589 HIGH This Week

Local privilege escalation to root in OpenBSD through 7.9 arises from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c). An authenticated local user calling sys_semget() can trigger a context-switch use-after-free after tsleep(), where a freed semid_ds_kern structure is reused, enabling kernel memory corruption and full root compromise. There is no public exploit identified at time of analysis, EPSS probability is low (0.12%), and the issue is not listed in CISA KEV; the upstream fix adds reference counting (sem_ref/sem_rele) around the sleep window.

Memory Corruption Privilege Escalation Use After Free Openbsd
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-7539 HIGH PATCH This Week

Local privilege escalation and arbitrary code execution in the HP Accessory WMI Provider installer bundled with certain HP Docking Stations allows a low-privileged local user to gain elevated (likely SYSTEM) execution. The root cause is insecure temporary-file/directory permissions used during installation (CWE-379), which an attacker can abuse to introduce or replace executable content that a privileged installer process runs. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; HP has published advisory hpsbhf04129 and is releasing software updates.

HP Privilege Escalation RCE Hp Dock Accessory
NVD
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-48725 HIGH This Week

Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stable_01) lets attacker-controlled terminal output read and write the host desktop clipboard via OSC 52 escape sequences with no confirmation prompt. Any malicious remote host, compromised program, or hostile output stream rendered in the terminal can silently exfiltrate clipboard contents (e.g. copied passwords or tokens) or plant attacker text for the user to later paste. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix commit is public; CVSS is 8.1 (High).

Privilege Escalation Warp
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-56269 npm MEDIUM PATCH This Month

Flowise versions 3.0.13 and earlier silently fall back to a hardcoded AES-256-CBC encryption key derived from the publicly known literal 'Secre$t' when TOKEN_HASH_SECRET is not configured, exposing the user and workspace IDs encoded in the 'meta' field of every JWT token issued by an unconfigured deployment. An authenticated user or network-positioned attacker who obtains any valid JWT can decrypt this metadata using the default key - now disclosed in the GHSA advisory and source code - and re-encrypt manipulated identifiers to probe downstream access controls. JWT signature validation is handled independently, so this does not constitute standalone token forgery, but identifier disclosure and metadata manipulation create a realistic stepping stone toward privilege escalation or unauthorized workspace access in multi-tenant deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patch Flowise 3.1.0 is available.

Authentication Bypass Privilege Escalation Node.js Flowise
NVD GitHub
CVSS 4.0
4.3
EPSS
0.1%
CVE-2026-56245 HIGH PATCH This Week

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing and quota records by invoking the SECURITY DEFINER record_build_time RPC with only a public anon API key. The flaw stems from missing authorization inside a privilege-elevated PostgREST function, enabling arbitrary build-time inserts against any organization. No public exploit identified at time of analysis, but the trivial network-reachable invocation pattern makes weaponization straightforward.

Privilege Escalation Denial Of Service Capgo
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-52943 HIGH PATCH This Week

Local privilege escalation in the Linux kernel networking stack (skbuff/MSG_ZEROCOPY path) allows an unprivileged local user to gain full root via a use-after-free on ubuf_info_msgzc. The pskb_carve_inside_header() and pskb_carve_inside_nonlinear() helpers memcpy the skb_shared_info (including the zerocopy destructor_arg/uarg pointer) into a new buffer without calling net_zcopy_get(), so the uarg refcount is decremented more times than it was incremented, freeing the ubuf_info while live TX skbs still reference it. A working proof-of-concept exists that achieves reliable root escalation on a default kernel configuration; the issue is not listed in CISA KEV and EPSS probability is low (0.21%, 11th percentile).

Privilege Escalation Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12417 CRITICAL POC Act Now

Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.

Authentication Bypass PHP Privilege Escalation WordPress Signup Signin
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-4297 HIGH This Week

Privilege escalation in the Welcome Software Publishing WordPress plugin (versions ≤ 0.0.31) allows any authenticated user with Subscriber-level access or above to update arbitrary WordPress options via the nc.setOption XML-RPC method. By modifying the default_role option to 'administrator' and registering a new account, attackers achieve full site takeover. No public exploit identified at time of analysis, but the attack pattern is trivial and well-documented for similar WordPress XML-RPC missing-capability flaws.

Authentication Bypass Privilege Escalation WordPress Welcome Software Publishing
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-12112 HIGH PATCH This Week

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take over active administrative sessions by reusing leaked session IDs that the server caches without re-validating authentication tokens. Because session IDs are written to standard logs, any user with log read access can replay them to gain administrative control and pivot to infrastructure-wide code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Authentication Bypass Privilege Escalation Red Hat Satellite 6
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-55736 MEDIUM PATCH This Month

Private argument injection in the Ash Elixir framework (versions 3.0.0 through 3.29.2) allows end users to set action arguments explicitly marked public?: false, which are designed to be controlled exclusively by trusted server-side code. The filtering logic in both the regular changeset path and the atomic changeset path fails to enforce the public? flag when input parameters arrive as string (binary) keys - the default format for user-supplied JSON or form data. An attacker who submits a string-keyed parameter matching a private argument name can inject an arbitrary value, potentially enabling privilege escalation or integrity violations if that argument drives authorization decisions such as acting_user_id or record ownership. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.

Privilege Escalation Ash
NVD GitHub
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-52815 Go MEDIUM POC PATCH GHSA This Month

Unauthenticated organization team enumeration in Gogs exposes team IDs, names, descriptions, and permission levels (read/write/admin/owner) to any network-accessible caller without credentials. All versions prior to 0.14.3 are affected - the `GET /api/v1/orgs/:orgname/teams` endpoint was placed in a route group missing the `reqToken()` middleware, meaning the `orgAssignment(true)` middleware loads the org object but enforces no authentication. A publicly available proof-of-concept demonstrates exploitation via a single unauthenticated `curl` command. No KEV listing is present, but the low attack complexity and zero authentication requirement make this a meaningful reconnaissance aid for follow-on attacks against Gogs installations.

Privilege Escalation Information Disclosure
NVD GitHub
CVSS 4.0
5.5
EPSS
1.6%
CVE-2026-52808 Go HIGH PATCH GHSA This Week

Privilege escalation in Gogs self-hosted Git service (versions < 0.14.3) allows write-level repository collaborators to perform admin-only operations via three API endpoints (PATCH /issue-tracker, PATCH /wiki, POST /mirror-sync) that are incorrectly gated by reqRepoWriter() instead of reqRepoAdmin(). Authenticated collaborators can inject attacker-controlled external tracker/wiki URLs to redirect repository visitors to phishing sites, disable native features, or trigger mirror syncs. No public exploit identified at time of analysis, though a detailed proof-of-concept appears in the GitHub Security Advisory.

Privilege Escalation
NVD GitHub
CVSS 3.1
7.1
EPSS
0.5%
CVE-2026-52806 Go CRITICAL PATCH GHSA Act Now

Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.

Command Injection Docker Apple Privilege Escalation Ubuntu +3
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2026-52804 Go MEDIUM PATCH GHSA This Month

Privilege escalation in Gogs versions prior to 0.14.3 allows repository admin collaborators to elevate their own access to owner-level by exploiting an off-by-one boundary check in the `ChangeCollaborationAccessMode` function. The web route accepts a raw integer `mode` query parameter, and the faulty guard `mode > AccessModeOwner` evaluates to false when mode equals 4, letting an admin (mode=3) POST `mode=4` to silently receive full owner privileges - including the ability to delete the repository, transfer ownership, and erase wiki data. No public exploit identified at time of analysis, though the advisory includes complete reproduction steps that function as a de facto proof of concept.

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-56694 MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submitting forged or stale connect callback values during the channel-registration approval flow. The `handleChannelApprovalResponse` function accepted any `connect:ag-X` callback value without verifying that the approver held admin privileges over the target agent group, allowing a scoped admin to wire messaging channels into groups they do not govern. No active exploitation has been confirmed (not listed in CISA KEV), and an upstream fix is available in commit 0eef8fafdd7c475ab5fd8d37ea566a81e74cd834 (PR #2566).

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56693 MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinement boundary by invoking the `create_agent` delivery-action handler without host-side authorization. The handler performed privileged central-database writes - creating agent groups, container configurations, and destinations - gated only by a container-side MCP tool check that, being inside the untrusted container, is trivially bypassed by writing outbound system rows directly. No public exploit identified at time of analysis; a vendor patch is available and the fix is documented in a public GitHub commit.

Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-56402 HIGH PATCH This Week

Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privileged actions (such as package installation) by submitting crafted approval response payloads. The handleApprovalsResponse function dispatches sensitive handlers without verifying the responder holds an owner/admin role, turning approval callbacks into an authorization bypass. Publicly available exploit code exists via the upstream patch diff, but no active exploitation is currently confirmed.

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56301 npm MEDIUM PATCH This Month

Nuxt's development server on Linux exposes an unprotected vite-node IPC server via a Linux abstract-namespace Unix socket, enabling unprivileged co-resident users to read arbitrary files - including .env secrets and SSH private keys - through the SSR module pipeline. Affected are Nuxt 4.0.0 through 4.4.6 and Nuxt 3.18.0 through 3.21.6 when running `nuxt dev` on Linux with Node.js 20+, outside Docker or StackBlitz. No public exploit has been identified at time of analysis, but exploitation demands only a local shell account and basic Unix socket programming knowledge; production builds are entirely unaffected.

Privilege Escalation Nuxt
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-56225 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 lets authenticated holders of an app-scoped public API key enumerate, modify, or delete other API keys on the same account that belong to different applications. The flaw stems from missing limited_to_apps enforcement in the get/put/delete/post key-management handlers, which only validate the limited_to_orgs scope. No public exploit identified at time of analysis, though the issue is disclosed via a GitHub Security Advisory and VulnCheck.

Privilege Escalation Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-48170 npm CRITICAL PATCH GHSA Act Now

Prototype pollution in the npm package scim-patch (versions <= 0.9.0) allows authenticated SCIM provisioning clients to mutate Object.prototype process-wide by submitting a PATCH operation whose value object contains a key such as `__proto__.someProp` or `constructor.prototype.someProp`. Because the side effect persists for the lifetime of the Node process and leaks into every plain object, downstream code that checks flags like `req.user.isAdmin` against unpolluted plain objects can suffer privilege escalation, logic bypass, or denial of service. Publicly available exploit code exists (proof-of-concept in the GHSA advisory and now in the package's test suite); no public exploit identified as in-the-wild use at time of analysis.

Prototype Pollution Privilege Escalation Node.js
NVD GitHub
CVSS 3.1
9.1
CVE-2026-46607 PyPI HIGH PATCH GHSA This Week

Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.

Docker Python Privilege Escalation RCE Deserialization +1
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-44778 Go LOW PATCH GHSA Monitor

Denial of service in Inspektor Gadget's USDT note parser (pkg/uprobetracer/usdt.go) allows an unprivileged container process to crash or OOM-kill the privileged IG host process by placing a crafted ELF binary at a path targeted by a custom USDT gadget. Two distinct attack vectors exist: a panic from out-of-bounds slice access when DescSize is artificially small, and unbounded memory allocation (~4 GiB) when NameSize or DescSize is set to 0xFFFFFFFF. No public exploit identified at time of analysis; critically, no gadget shipped by the Inspektor Gadget project uses USDT probes, so only deployments running operator-developed custom USDT gadgets are exposed.

RCE Denial Of Service Privilege Escalation Kubernetes
NVD GitHub
CVE-2026-33646 Cargo CRITICAL PATCH GHSA Act Now

Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory.

RCE Python Apple Privilege Escalation Code Injection
NVD GitHub
CVSS 3.1
9.6
EPSS
0.7%
CVE-2026-32315 PyPI MEDIUM PATCH GHSA This Month

World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection Authentication Bypass Information Disclosure Privilege Escalation
NVD GitHub
CVSS 3.1
5.5
EPSS
2.9%
CVE-2026-54099 HIGH This Week

Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Microsoft Red Hat Red Hat Openshift Container Platform 4 Red Hat Openshift For Windows Containers
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. No public exploit has been identified at time of analysis, and no EPSS or KEV signals were supplied; however, the issue is reported by Wordfence and exploitation is straightforward on sites where the Vendor Staff module is enabled and vendor self-registration is permitted.

Privilege Escalation WordPress Dokan Pro
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM This Month

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System-level access to bypass permission enforcement (CWE-280) and escalate further within the device. The vulnerability is confirmed by MediaTek in their July 2026 Product Security Bulletin (Patch ID: MOLY01716533, Issue ID: MSV-6309) and affects a broad swath of chipsets spanning low-end to flagship tiers. No user interaction is required for exploitation, but the prerequisite of System-level access significantly constrains the realistic attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis.

Privilege Escalation Mediatek Chipset
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Android devices, delivering full confidentiality, integrity, and availability impact. Twenty-two specific MediaTek SoC variants are confirmed affected, spanning the MT6xxx and MT8xxx mid-range and budget families. No public exploit has been identified at time of analysis; MediaTek has issued patch ALPS11006447 via their July 2026 security bulletin, but exploitation requires a pre-existing System-level privilege on the device, making this a chaining vulnerability rather than a standalone entry vector.

Privilege Escalation Heap Overflow Buffer Overflow +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a rogue base station to corrupt modem memory via a missing bounds check (out-of-bounds write, CWE-787). Once a target UE camps on the attacker-controlled cell, exploitation requires no user interaction and no pre-existing privileges, potentially yielding privilege escalation within the modem subsystem. Tracked in MediaTek's July 2026 Product Security Bulletin (Patch ID MOLY01402160); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Privilege Escalation Buffer Overflow +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

OS-level privilege escalation in Google Chrome for Windows before 150.0.7871.47 lets a local attacker leverage an inappropriate implementation in the CredentialProvider component to elevate privileges via a malicious file. Exploitation requires local access plus user interaction (UI:R), and though Google rated the Chromium security severity 'Low', the CVSS 3.1 base score is 7.8 (High) due to full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low at 0.11% (2nd percentile).

Privilege Escalation Microsoft Google +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome's Cast component before 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to escape renderer-level restrictions and gain higher privileges via a crafted HTML page. Rated Low severity by Chromium despite a 7.5 CVSS, it functions as a second-stage sandbox-escape primitive rather than a standalone initial-access bug. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile), indicating minimal near-term mass-exploitation risk.

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)

Memory Corruption Google Microsoft +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome's WebRTC component (versions prior to 150.0.7871.47) allows a remote attacker to escape normal renderer restrictions when a victim opens a crafted HTML page, per the CVSS vector achieving high confidentiality, integrity, and availability impact. Exploitation requires user interaction (visiting a malicious page) but no prior authentication. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 7th percentile); notably, Google/Chromium rated this 'Low' severity while the NVD CVSS is 8.8 (High), a discrepancy defenders should weigh.

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows before 150.0.7871.47 allows a local attacker who plants a malicious file to elevate privileges after the victim interacts with it. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a 7.8 CVSS but was rated Low severity by Chromium's own team. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.13%, 3rd percentile), consistent with a local, interaction-dependent issue rather than a mass-exploitable one.

Privilege Escalation Microsoft Google +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Serial (Web Serial API) component, allowing a remote attacker who lures a victim to a crafted HTML page to escalate privileges within the browser. Note the signal conflict: NVD scores this 8.8 (High) with high confidentiality/integrity/availability impact, yet Chromium's own triage rates the security severity as Low. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS is very low at 0.17% (7th percentile).

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Bluetooth subsystem, letting a remote attacker who lures a victim to a crafted HTML page cross a security boundary the browser is supposed to guard. Google's Chrome release channel and the NVD-assigned CVSS 3.1 base score of 8.8 (High) diverge from Chromium's own internal 'Low' severity rating, signaling the practical impact is likely narrower than the raw score implies. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.17% (7th percentile), consistent with no active exploitation reported.

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on Windows (versions prior to 150.0.7871.47) allows a local attacker to escalate to OS-level privileges via a malicious file that triggers a use-after-free condition. Google rates the Chromium security severity as Medium, though the CVSS base score is 7.8 (High) because the Updater runs with elevated (SYSTEM) privileges. There is no public exploit identified at time of analysis and EPSS is very low (0.11%, 1st percentile), indicating negligible observed exploitation activity.

Memory Corruption Google Microsoft +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Insufficient validation of untrusted input in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Insufficient validation of untrusted input in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Authentication Bypass +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions component (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out via a crafted HTML page. Rated Medium by Chromium and CVSS 7.5, it stems from insufficient validation of untrusted input (CWE-20) and requires user interaction plus a pre-existing renderer foothold. There is no public exploit identified at time of analysis, EPSS is low (0.22%, 12th percentile), and it is not on CISA KEV.

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Google Chrome desktop prior to 150.0.7871.47 stems from insufficient policy enforcement in the WebHID subsystem, letting a maliciously crafted extension escape its intended boundaries and gain elevated access to human-interface devices and browser privileges. Exploitation first requires convincing a victim to install the malicious extension, after which a crafted Chrome Extension bypasses WebHID access controls. Chromium rates the issue Medium; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.13%, 3rd percentile).

Authentication Bypass Privilege Escalation Google +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Google Chrome for Android (CustomTabs) prior to 150.0.7871.47 allows a local attacker to escalate privileges by supplying a malicious file that CustomTabs fails to validate properly. Google rates the Chromium severity as Medium, and the requirement for user interaction plus local access limits remote mass exploitation. No public exploit has been identified at time of analysis and the EPSS score is very low (0.13%, 3rd percentile), so opportunistic exploitation appears unlikely.

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome for Android before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out further by feeding a crafted HTML page into the Speech component, which fails to validate untrusted input (CWE-20). Google rated it Medium severity; a fix has shipped in the Stable channel, EPSS is low (0.21%, 11th percentile), and there is no public exploit identified at time of analysis. This is a sandbox-escape-class chaining bug rather than a standalone remote drive-by, since it presupposes a prior renderer compromise.

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local OS-level privilege escalation in Google Chrome on Windows (versions prior to 150.0.7871.47) arises from a use-after-free in the Chrome Updater component, letting a local attacker who can plant a malicious file on the system elevate to higher OS privileges. Google rates the Chromium severity as High and has released a fixed Stable channel build; there is no public exploit identified and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with a bug that requires local access and user interaction rather than mass remote exploitation.

Memory Corruption Google Microsoft +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on macOS versions prior to 150.0.7871.47 lets an attacker abuse a use-after-free (CWE-416) via a malicious file to gain the elevated privileges under which the updater runs. Google rates the Chromium severity as High, and the CVSS 3.1 base score is 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with the SSVC exploitation status of 'none'.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions subsystem before version 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of that context and gain elevated privileges by delivering a crafted HTML page. Google rates the Chromium severity as High, and the assigned CVSS is 7.5 (AV:N/AC:H). There is no public exploit identified at time of analysis, EPSS is low (0.21%, 11th percentile), and CISA's SSVC framework records exploitation status as none, indicating this is currently a patch-and-move-on issue rather than an active threat.

Privilege Escalation Google Suse
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft +2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding the GROUP_EDIT right elevate to full administrative control. Because GroupController::updatePermissions never verifies that the caller already possesses the permissions being assigned, a low-privileged admin can grant high-value rights to a group they belong to and inherit those rights. The flaw was reported by VulnCheck; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Phpmyfaq
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a path-traversal flaw in the builder upload proxy to reach internal administrative endpoints. By appending traversal sequences to the upload path - which the WHATWG URL parser normalizes - an attacker pivots requests carrying the privileged BUILDER_API_KEY header, turning limited build access into SSRF and elevated server-side privileges. Reported by VulnCheck with a CVSS 4.0 score of 8.7; no public exploit identified at time of analysis.

Privilege Escalation Path Traversal Capgo
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in the HP Fan Control App lets a low-privileged local user gain SYSTEM/administrator-level execution on affected HP endpoints. The flaw stems from CWE-428 (Unquoted Search Path or Element), a classic Windows weakness where a privileged service or process resolves an executable or library from an attacker-controllable path. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; EPSS data was not provided.

HP Privilege Escalation Hp Fan Control App
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Privilege escalation in OpenZiti through 2.0.0 lets an authenticated non-admin identity that holds fine-grained enrollment-management permissions mint an enrollment for any identity - including the built-in default administrator - and then redeem the resulting one-time token via the unauthenticated client enrollment API to receive a client certificate that authenticates as that admin, granting full control of the controller and the entire zero-trust overlay. The root cause is a missing authorization check (CWE-862) in the enrollment creation path. Publicly available exploit details exist (reported by VulnCheck, GitHub issue #4010) and a vendor fix is available; no public exploit identified as actively used at time of analysis.

Authentication Bypass Privilege Escalation Ziti
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Privilege escalation in Red Hat Build of Keycloak allows an operator holding the manage-clients permission to inject a hardcoded role mapper into any client configuration, causing the realm-admin role to appear in subsequently issued tokens. This effectively grants the attacker full administrative control over the entire Keycloak realm, overriding scope restrictions that are intended to prevent exactly this delegation boundary crossing. No active exploitation has been confirmed (not listed in CISA KEV), no public proof-of-concept has been identified at time of analysis, and no EPSS data was available; however, the high-impact nature of achieving realm-admin privileges makes this a meaningful insider or delegated-admin threat.

Privilege Escalation Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Nokia MantaRay NM (network management) lets an attacker who already holds local administrative privileges abuse a misconfigured sudo command set to obtain full root access on the host, gaining complete control of the filesystem and arbitrary root command execution. The flaw was reported by Nokia and affects versions prior to NM 25R1-NM, with no public exploit identified at time of analysis and a low EPSS exploitation probability of 0.17%.

Privilege Escalation Nokia Mantaray Nm
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Use-after-free in the SSSD PAM responder crashes the authentication daemon when a local attacker manipulates YubiKey or smartcard contents during an authentication attempt on Red Hat Enterprise Linux 6 through 10. The primary realized impact is a denial of service - the PAM responder crash disrupts all authentication - but the underlying memory corruption also presents a difficult-to-exploit privilege escalation path. No public exploit code exists at time of analysis, and the CVSS vector (AV:L/AC:H/PR:H) reflects a tightly constrained local attack requiring high privileges and significant complexity, limiting realistic blast radius to insider-threat and physical-access scenarios.

Privilege Escalation Denial Of Service Red Hat Enterprise Linux 10 +8
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation to root in LinuxCNC (linuxcnc-uspace) before 2.9.9 lets any unprivileged local user execute arbitrary code as root. The SUID-root rtapi_app helper accepts a user-supplied module name and passes it to dlopen() without sufficient validation, so path traversal lets an attacker load an arbitrary attacker-controlled shared library while the process is still privileged. No public exploit identified at time of analysis and the issue is not in CISA KEV; an upstream fix is available in version 2.9.9.

Privilege Escalation Path Traversal Linuxcnc
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to improperly escalate their privileges beyond their assigned project scope, per advisory GHSA-vx8h-4prv-g744. Affected releases are 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.4 and scope-changing impact mean a successful escalation can compromise cluster-wide confidentiality, integrity, and availability.

Privilege Escalation Rancher
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in the attr package's getfattr and setfattr utilities (versions before 2.6.0) allows an attacker who controls a pathname component to swap it for a symbolic link during directory hierarchy traversal, redirecting attribute operations to arbitrary files. When these utilities are invoked by a privileged process over an attacker-influenced path, the attacker can read or write extended attributes on files outside their authority, leading to escalation to higher privileges. The flaw was reported by VulnCheck; no public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Acl
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Local privilege escalation in the Linux acl package (libacl/getfacl/setfacl/chacl) before version 2.4.0 lets an unprivileged local user who controls a component of a pathname win a TOCTOU race, redirecting privileged file-ACL operations to arbitrary files. By swapping a path component for a symlink between the lstat() validation and the follow-on stat()/chown()/chmod()/acl_get_file()/acl_set_file() calls, an attacker can manipulate ownership and ACLs on targets they should not control, yielding root-equivalent escalation. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is fixed upstream.

Privilege Escalation Acl
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH Monitor

Local privilege escalation in the Linux acl utilities (libacl) before version 2.4.0 arises because the pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() follow symbolic links during ACL read/write operations. An attacker who controls any component of a pathname processed by a privileged caller can substitute a symlink to redirect ACL operations to arbitrary files, manipulating access control lists outside their authority. No public exploit identified at time of analysis, and the issue is not in CISA KEV; risk is gated on a privileged process operating on attacker-influenced paths.

Privilege Escalation Acl
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Path Traversal Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Matrix42 Empirum (versions before 25.5 and 26.x before 26.2) lets any authenticated low-privileged user gain SYSTEM execution by abusing the PBackupVSS.exe service's named pipe. The pipe \\.\pipe\PBackupVSS is created with an overly permissive DACL granting GENERIC_READ/GENERIC_WRITE to all authenticated users, so an attacker can send crafted IPC messages that drive the SYSTEM-level service into running an attacker-supplied shadow.exe from a controlled working directory. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation is mechanically straightforward once on the host.

Privilege Escalation N A
NVD
EPSS 0% CVSS 8.6
HIGH POC This Week

Privilege escalation in MyBB 1.8.40 lets a limited Admin Control Panel (ACP) user who holds only the delegated user-management permission promote any account into the Administrators usergroup (gid 4), gaining the full Administrator permission set. The flaw stems from the user module exposing the Administrators group as an assignable option while the datahandler's verify_usergroup() unconditionally returns true, performing no authorization check on the target group. Publicly available exploit code exists (VulnCheck), though the issue is not listed in CISA KEV and has no public evidence of active exploitation.

Privilege Escalation Mybb
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-execution rights break out to the host as root even when privileged mode is disabled. The runner passes a workflow's container.options string straight into the Docker job container's HostConfig and only forces the Privileged flag off, leaving dangerous options like --pid=host, --cap-add, and --security-opt intact. Publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV.

Privilege Escalation Gitea Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in the FreeBSD kernel arises from a use-after-free in the IPv6 multicast source-filter handler (IPV6_MSFILTER), affecting FreeBSD 14.3, 14.4, and 15.0 releases before their respective patch levels. An unprivileged local user can win a race against the handler's dropped-then-reacquired serializing lock to free the multicast filter structure out from under the kernel, corrupting memory to gain root-level control. There is no public exploit identified at time of analysis, and EPSS is very low (0.13%), consistent with CISA SSVC marking exploitation as 'none' and not automatable.

Memory Corruption Privilege Escalation Use After Free +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV.

Privilege Escalation WordPress Invoice Generator
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.

PostgreSQL Kubernetes Privilege Escalation +1
NVD GitHub VulDB
CVSS 5.5
MEDIUM POC PATCH This Month

Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.

Privilege Escalation Apple Docker
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local attacker gain the elevated privileges of the installer by planting a malicious powershell.exe. Because the installer calls powershell.exe by name (not absolute path) after setting the working directory to the installation contextMenu folder, a privileged user who installs into an attacker-writable custom directory triggers execution of the attacker's binary. No public exploit has been identified at time of analysis; the issue is fixed in 8.9.6 and corresponds to CWE-426 (Untrusted Search Path).

Privilege Escalation Notepad Plus Plus
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Silent audit trail corruption in the Linux kernel's capability auditing subsystem allows a local attacker who manipulates inheritable capabilities as a precursor to privilege escalation to have that manipulation go unrecorded in CAPSET audit logs since 2008. The `__audit_log_capset()` function records `cap_effective` into the `cap_pi` (inheritable) field due to a copy-paste error, meaning compliance and forensic systems receive falsified capability state that masks the inheritable-cap modification step of a privilege escalation chain. No public exploit has been identified at time of analysis, and the EPSS score of 0.18% (7th percentile) reflects that exploitation as a standalone attack is not observed in the wild.

Privilege Escalation Linux
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project operator in a restricted multi-tenant deployment to escape tenant confinement and obtain host root. Because project-restriction policies are not re-validated when an instance backup is imported and its snapshot restored, an operator can smuggle restricted configuration keys into a snapshot, restore them onto the live instance, and start it to gain unauthorized root on the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch and the fixing source code are available.

Authentication Bypass Privilege Escalation Lxd
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Frisbii Pay (reepay-checkout-gateway) WordPress plugin through version 1.8.2 allows a low-privileged authenticated user holding a Contributor role to elevate to higher privileges due to a missing authorization check. Reported through Patchstack's audit program and tagged as both Authentication Bypass and Privilege Escalation, the flaw carries a CVSS 8.8 and full confidentiality, integrity, and availability impact, meaning a successful actor can effectively take administrative control of the affected WordPress site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Dokan Pro (the WordPress/WooCommerce multivendor marketplace plugin) versions 5.0.4 and earlier lets unauthenticated remote attackers gain elevated privileges, scoring CVSS:3.1 9.8 Critical via AV:N/AC:L/PR:N/UI:N with full confidentiality, integrity, and availability impact. The flaw is classed as CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants privileges it should not to an unauthenticated requester. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in the Paytium WordPress plugin (Mollie payment forms and donations) through version 5.0.2 allows remote attackers with no authentication to gain elevated privileges, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. The flaw stems from incorrect privilege assignment (CWE-266), meaning a low- or no-privilege actor can be granted rights they should not have. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the Easy Elements for Elementor - Addons & Website Templates WordPress plugin (versions <= 1.4.9) allows remote attackers to gain elevated privileges without authentication, per the CVSS:3.1 vector (PR:N). Classified as CWE-266 (Incorrect Privilege Assignment) and rated CVSS 9.8 with full confidentiality, integrity, and availability impact, the flaw was reported by the Patchstack security team. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Abandoned Cart Pro for WooCommerce plugin (versions <= 10.4.0) allows an authenticated low-privileged user (Subscriber) to elevate their own permissions and gain higher-privileged capabilities within the WordPress site. The flaw, reported by Patchstack and classified as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 8.8 and is network-exploitable with low complexity once an attacker holds any minimal account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Fusion Builder WordPress plugin (versions 3.15.4 and earlier) lets a low-privileged authenticated user, such as a Contributor, gain capabilities far beyond their role and effectively act as an administrator. The flaw was reported by Patchstack and carries a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because Fusion Builder is the page builder bundled with the widely sold Avada theme, the exposure spans a large number of WordPress sites that allow self-registration or untrusted contributor accounts.

Privilege Escalation
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Signal delivery bypass in FreeBSD's thr_kill2(2) system call allows an unprivileged local user - or a jailed process - to send arbitrary signals to any process on the system, including root-owned processes and critical daemons, causing Denial of Service. The flaw stems from a missing check on the return value of p_cansignal(), the kernel's permission enforcement primitive: the signal is unconditionally delivered before the error is propagated to the caller. No public exploit has been identified at time of analysis and SSVC assesses exploitation as none, though globally sequential thread IDs reduce the skill requirement to simple brute force, and the jail boundary bypass adds a container-escape dimension absent from the base CVSS score.

Privilege Escalation Denial Of Service Freebsd
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.

Privilege Escalation Youtrack
NVD
CVSS 5.5
MEDIUM PATCH This Month

Insecure default file permissions in Nextflow's `auth login` command expose Seqera Platform OIDC bearer tokens to any local user on shared POSIX systems running affected versions 25.09.2-edge through 26.04.1. The credential file `seqera-auth.config` is written via Java NIO without explicit permission bits, landing at mode 0644 under the typical umask 022, making it world-readable on HPC login nodes, shared workstations, and jump hosts - exactly the infrastructure where Nextflow is most commonly deployed. No public exploit has been identified at time of analysis and this vulnerability is not currently in the CISA KEV catalog, but the attack requires only a standard local account and trivial filesystem read, making it a practical lateral-movement primitive in multi-tenant research computing environments.

Privilege Escalation Java
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Emergency

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).

Privilege Escalation Jwt Attack Authentication Bypass +6
NVD
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. Publicly available exploit code exists (VulnCheck/researcher write-up), it is not listed in CISA KEV, and no EPSS score was provided in the input.

Authentication Bypass Privilege Escalation Server
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

API key scope bypass in Outline prior to 1.8.0 allows an authenticated attacker holding a limited-scope API key or OAuth token to perform actions on restricted endpoints by exploiting a URL fragment handling discrepancy. The `AuthenticationHelper.canAccess` function evaluates authorization against the fragment-appended URL path rather than the actual routed endpoint, enabling privilege escalation beyond the key's intended permissions. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity (PR:L, AC:L) makes this straightforward to exploit for any valid API key holder.

Authentication Bypass Privilege Escalation Outline
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation to root in OpenBSD through 7.9 arises from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c). An authenticated local user calling sys_semget() can trigger a context-switch use-after-free after tsleep(), where a freed semid_ds_kern structure is reused, enabling kernel memory corruption and full root compromise. There is no public exploit identified at time of analysis, EPSS probability is low (0.12%), and the issue is not listed in CISA KEV; the upstream fix adds reference counting (sem_ref/sem_rele) around the sleep window.

Memory Corruption Privilege Escalation Use After Free +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation and arbitrary code execution in the HP Accessory WMI Provider installer bundled with certain HP Docking Stations allows a low-privileged local user to gain elevated (likely SYSTEM) execution. The root cause is insecure temporary-file/directory permissions used during installation (CWE-379), which an attacker can abuse to introduce or replace executable content that a privileged installer process runs. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; HP has published advisory hpsbhf04129 and is releasing software updates.

HP Privilege Escalation RCE +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Clipboard hijacking in the Warp agentic terminal (versions 0.2021.04.25.23.05.stable_00 through 0.2026.05.06.15.42.stable_01) lets attacker-controlled terminal output read and write the host desktop clipboard via OSC 52 escape sequences with no confirmation prompt. Any malicious remote host, compromised program, or hostile output stream rendered in the terminal can silently exfiltrate clipboard contents (e.g. copied passwords or tokens) or plant attacker text for the user to later paste. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix commit is public; CVSS is 8.1 (High).

Privilege Escalation Warp
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Flowise versions 3.0.13 and earlier silently fall back to a hardcoded AES-256-CBC encryption key derived from the publicly known literal 'Secre$t' when TOKEN_HASH_SECRET is not configured, exposing the user and workspace IDs encoded in the 'meta' field of every JWT token issued by an unconfigured deployment. An authenticated user or network-positioned attacker who obtains any valid JWT can decrypt this metadata using the default key - now disclosed in the GHSA advisory and source code - and re-encrypt manipulated identifiers to probe downstream access controls. JWT signature validation is handled independently, so this does not constitute standalone token forgery, but identifier disclosure and metadata manipulation create a realistic stepping stone toward privilege escalation or unauthorized workspace access in multi-tenant deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patch Flowise 3.1.0 is available.

Authentication Bypass Privilege Escalation Node.js +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing and quota records by invoking the SECURITY DEFINER record_build_time RPC with only a public anon API key. The flaw stems from missing authorization inside a privilege-elevated PostgREST function, enabling arbitrary build-time inserts against any organization. No public exploit identified at time of analysis, but the trivial network-reachable invocation pattern makes weaponization straightforward.

Privilege Escalation Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel networking stack (skbuff/MSG_ZEROCOPY path) allows an unprivileged local user to gain full root via a use-after-free on ubuf_info_msgzc. The pskb_carve_inside_header() and pskb_carve_inside_nonlinear() helpers memcpy the skb_shared_info (including the zerocopy destructor_arg/uarg pointer) into a new buffer without calling net_zcopy_get(), so the uarg refcount is decremented more times than it was incremented, freeing the ubuf_info while live TX skbs still reference it. A working proof-of-concept exists that achieves reliable root escalation on a default kernel configuration; the issue is not listed in CISA KEV and EPSS probability is low (0.21%, 11th percentile).

Privilege Escalation Linux
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.

Authentication Bypass PHP Privilege Escalation +2
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Welcome Software Publishing WordPress plugin (versions ≤ 0.0.31) allows any authenticated user with Subscriber-level access or above to update arbitrary WordPress options via the nc.setOption XML-RPC method. By modifying the default_role option to 'administrator' and registering a new account, attackers achieve full site takeover. No public exploit identified at time of analysis, but the attack pattern is trivial and well-documented for similar WordPress XML-RPC missing-capability flaws.

Authentication Bypass Privilege Escalation WordPress +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take over active administrative sessions by reusing leaked session IDs that the server caches without re-validating authentication tokens. Because session IDs are written to standard logs, any user with log read access can replay them to gain administrative control and pivot to infrastructure-wide code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Authentication Bypass Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Private argument injection in the Ash Elixir framework (versions 3.0.0 through 3.29.2) allows end users to set action arguments explicitly marked public?: false, which are designed to be controlled exclusively by trusted server-side code. The filtering logic in both the regular changeset path and the atomic changeset path fails to enforce the public? flag when input parameters arrive as string (binary) keys - the default format for user-supplied JSON or form data. An attacker who submits a string-keyed parameter matching a private argument name can inject an arbitrary value, potentially enabling privilege escalation or integrity violations if that argument drives authorization decisions such as acting_user_id or record ownership. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.

Privilege Escalation Ash
NVD GitHub
EPSS 2% CVSS 5.5
MEDIUM POC PATCH This Month

Unauthenticated organization team enumeration in Gogs exposes team IDs, names, descriptions, and permission levels (read/write/admin/owner) to any network-accessible caller without credentials. All versions prior to 0.14.3 are affected - the `GET /api/v1/orgs/:orgname/teams` endpoint was placed in a route group missing the `reqToken()` middleware, meaning the `orgAssignment(true)` middleware loads the org object but enforces no authentication. A publicly available proof-of-concept demonstrates exploitation via a single unauthenticated `curl` command. No KEV listing is present, but the low attack complexity and zero authentication requirement make this a meaningful reconnaissance aid for follow-on attacks against Gogs installations.

Privilege Escalation Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in Gogs self-hosted Git service (versions < 0.14.3) allows write-level repository collaborators to perform admin-only operations via three API endpoints (PATCH /issue-tracker, PATCH /wiki, POST /mirror-sync) that are incorrectly gated by reqRepoWriter() instead of reqRepoAdmin(). Authenticated collaborators can inject attacker-controlled external tracker/wiki URLs to redirect repository visitors to phishing sites, disable native features, or trigger mirror syncs. No public exploit identified at time of analysis, though a detailed proof-of-concept appears in the GitHub Security Advisory.

Privilege Escalation
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.

Command Injection Docker Apple +5
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Privilege escalation in Gogs versions prior to 0.14.3 allows repository admin collaborators to elevate their own access to owner-level by exploiting an off-by-one boundary check in the `ChangeCollaborationAccessMode` function. The web route accepts a raw integer `mode` query parameter, and the faulty guard `mode > AccessModeOwner` evaluates to false when mode equals 4, letting an admin (mode=3) POST `mode=4` to silently receive full owner privileges - including the ability to delete the repository, transfer ownership, and erase wiki data. No public exploit identified at time of analysis, though the advisory includes complete reproduction steps that function as a de facto proof of concept.

Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submitting forged or stale connect callback values during the channel-registration approval flow. The `handleChannelApprovalResponse` function accepted any `connect:ag-X` callback value without verifying that the approver held admin privileges over the target agent group, allowing a scoped admin to wire messaging channels into groups they do not govern. No active exploitation has been confirmed (not listed in CISA KEV), and an upstream fix is available in commit 0eef8fafdd7c475ab5fd8d37ea566a81e74cd834 (PR #2566).

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinement boundary by invoking the `create_agent` delivery-action handler without host-side authorization. The handler performed privileged central-database writes - creating agent groups, container configurations, and destinations - gated only by a container-side MCP tool check that, being inside the untrusted container, is trivially bypassed by writing outbound system rows directly. No public exploit identified at time of analysis; a vendor patch is available and the fix is documented in a public GitHub commit.

Privilege Escalation Nanoclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privileged actions (such as package installation) by submitting crafted approval response payloads. The handleApprovalsResponse function dispatches sensitive handlers without verifying the responder holds an owner/admin role, turning approval callbacks into an authorization bypass. Publicly available exploit code exists via the upstream patch diff, but no active exploitation is currently confirmed.

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Nuxt's development server on Linux exposes an unprotected vite-node IPC server via a Linux abstract-namespace Unix socket, enabling unprivileged co-resident users to read arbitrary files - including .env secrets and SSH private keys - through the SSR module pipeline. Affected are Nuxt 4.0.0 through 4.4.6 and Nuxt 3.18.0 through 3.21.6 when running `nuxt dev` on Linux with Node.js 20+, outside Docker or StackBlitz. No public exploit has been identified at time of analysis, but exploitation demands only a local shell account and basic Unix socket programming knowledge; production builds are entirely unaffected.

Privilege Escalation Nuxt
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 lets authenticated holders of an app-scoped public API key enumerate, modify, or delete other API keys on the same account that belong to different applications. The flaw stems from missing limited_to_apps enforcement in the get/put/delete/post key-management handlers, which only validate the limited_to_orgs scope. No public exploit identified at time of analysis, though the issue is disclosed via a GitHub Security Advisory and VulnCheck.

Privilege Escalation Capgo
NVD GitHub
CVSS 9.1
CRITICAL PATCH Act Now

Prototype pollution in the npm package scim-patch (versions <= 0.9.0) allows authenticated SCIM provisioning clients to mutate Object.prototype process-wide by submitting a PATCH operation whose value object contains a key such as `__proto__.someProp` or `constructor.prototype.someProp`. Because the side effect persists for the lifetime of the Node process and leaks into every plain object, downstream code that checks flags like `req.user.isAdmin` against unpolluted plain objects can suffer privilege escalation, logic bypass, or denial of service. Publicly available exploit code exists (proof-of-concept in the GHSA advisory and now in the package's test suite); no public exploit identified as in-the-wild use at time of analysis.

Prototype Pollution Privilege Escalation Node.js
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.

Docker Python Privilege Escalation +3
NVD GitHub VulDB
LOW PATCH Monitor

Denial of service in Inspektor Gadget's USDT note parser (pkg/uprobetracer/usdt.go) allows an unprivileged container process to crash or OOM-kill the privileged IG host process by placing a crafted ELF binary at a path targeted by a custom USDT gadget. Two distinct attack vectors exist: a panic from out-of-bounds slice access when DescSize is artificially small, and unbounded memory allocation (~4 GiB) when NameSize or DescSize is set to 0xFFFFFFFF. No public exploit identified at time of analysis; critically, no gadget shipped by the Inspektor Gadget project uses USDT probes, so only deployments running operator-developed custom USDT gadgets are exposed.

RCE Denial Of Service Privilege Escalation +1
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory.

RCE Python Apple +2
NVD GitHub
EPSS 3% CVSS 5.5
MEDIUM PATCH This Month

World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Microsoft Red Hat +2
NVD VulDB
Prev Page 2 of 148 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy