Skip to main content

Privilege Escalation

13278 CVEs technique

Monthly

CVE-2026-32315 PyPI MEDIUM PATCH GHSA This Month

World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection Authentication Bypass Information Disclosure Privilege Escalation
NVD GitHub
CVSS 3.1
5.5
EPSS
2.9%
CVE-2026-54099 HIGH This Week

Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Microsoft Red Hat Red Hat Openshift Container Platform 4 Red Hat Openshift For Windows Containers
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-12602 HIGH PATCH This Week

Local privilege escalation in ArubaSign prior to v4.6.6 stems from overly permissive ACLs applied at installation, granting the 'Everyone' group write access to the main executable and supporting files under C:\Program Files. An unprivileged local user can swap these binaries for malicious payloads that subsequently execute under the privileges of any user (potentially Administrator or SYSTEM) who later launches the application. No public exploit identified at time of analysis and the issue is not on CISA KEV.

RCE Privilege Escalation Arubasign
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-8157 HIGH POC PATCH This Week

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.

Privilege Escalation WordPress Vitepos
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56239 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows authenticated Supabase users to manipulate billing data for arbitrary organizations by invoking the public.apply_usage_overage SECURITY DEFINER function via RPC. The function executes with owner privileges and skips auth.uid(), org membership, and check_min_rights validation, bypassing Row Level Security and enabling fraudulent overage insertion or credit depletion across tenants. No public exploit identified at time of analysis, but vendor and VulnCheck have published advisories and a patched release.

Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-12673 MEDIUM POC PATCH This Month

Privilege escalation in LiquidFiles before 4.2.12 allows an authenticated Admin of a secondary (non-default) domain to elevate to full Sysadmin access by manipulating group settings within their managed secondary domain group. This broken access control flaw (CWE-285) collapses the authorization boundary between domain-scoped Admin and system-wide Sysadmin roles, granting an attacker complete platform control. No public exploitation has been confirmed in CISA KEV, but a public proof-of-concept is available from Project Black (PRJBLK), meaningfully elevating real-world risk above what the 5.9 CVSS score alone suggests.

Privilege Escalation Authentication Bypass Liquidfiles
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-11551 CRITICAL Act Now

Unauthenticated account takeover in the Branda (white-labeling) plugin for WordPress through version 3.4.29 allows remote attackers to reset arbitrary user passwords, including administrators, by abusing a password update flow that fails to verify the requester's identity. Wordfence-reported flaw is tracked as CVE-2026-11551 with a CVSS 9.8; no public exploit identified at time of analysis, but the trivial exploitability of the vulnerable signup-password module makes weaponization straightforward once the patched code is diffed.

Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-56216 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows holders of app-limited API keys to mint new unrestricted keys via the POST /functions/v1/apikey endpoint by submitting empty limit fields. The flaw effectively bypasses the API key scoping model, granting org-wide access to app listings and other protected resources from any compromised low-privilege key. No public exploit identified at time of analysis, but a vendor advisory (GHSA-2ff8-7h96-hwfp) and a VulnCheck writeup confirm the issue.

Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56212 MEDIUM PATCH This Month

Authentication logic bypass in Capgo before 12.128.2 permits a team or organization security settings manager to enforce mandatory two-factor authentication across all team members without having 2FA active on their own account. The platform never validates the initiator's own 2FA enrollment state before committing the policy change, creating an asymmetric enforcement condition where the policy creator is effectively exempt from the mandate they impose. No public exploit code has been identified and Capgo is not listed in the CISA Known Exploited Vulnerabilities catalog; the CVSS 4.0 score of 5.1 (PR:H) reflects that exploitation is constrained to already-privileged insiders.

Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-48584 HIGH PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Azure Synapse (the cloud analytics service) allows an already-authorized, low-privileged attacker to elevate their privileges over the network, gaining high confidentiality, integrity, and availability impact (CVSS 8.8). The root cause is a component executing with unnecessary privileges (CWE-250), letting a tenant or workspace user with limited rights break out to a higher trust level. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.50%), with CISA SSVC marking exploitation status as 'none.'

Privilege Escalation Microsoft Azure Synapse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-55091 npm HIGH PATCH GHSA This Week

Prototype pollution in the npm package flat-to-nested (versions <= 1.1.1) lets attackers who control input records pollute Object.prototype by supplying a record with parent set to the string '__proto__'. The convert() function uses plain objects as lookup tables and writes attacker-controlled data through the prototype chain via initPush(), affecting any application that feeds untrusted flat records (REST input, DB rows, user-supplied data) into the library. No CISA KEV listing and no public exploit identified at time of analysis beyond the proof-of-concept embedded in the GitHub Security Advisory.

Privilege Escalation Denial Of Service
NVD GitHub
CVSS 3.1
7.5
CVE-2026-55849 npm HIGH PATCH GHSA This Week

Command injection in the @cyclonedx/cyclonedx-npm SBOM generator (versions >= 2.1.0, < 5.0.0) lets an attacker who controls the value passed to the --workspace CLI option execute arbitrary OS commands when the npm_execpath environment variable is unset or empty. In that fallback path the tool spawns a subshell and interpolates the workspace value into a command string without escaping, so shell metacharacters break out of the intended context and run with the invoking user's privileges. No public exploit identified at time of analysis, though the vendor fix PR ships a proof-of-concept-style regression test; the issue is not listed in CISA KEV and no EPSS score was provided.

Privilege Escalation Command Injection Node.js
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-23879 PyPI HIGH PATCH GHSA This Week

Arbitrary file write in py7zr versions 1.1.0 through 1.1.2 allows attackers to escape the destination directory during archive extraction by chaining malicious symbolic links that resolve outside the target path. A victim who calls extractall() on a crafted 7z archive can have files written to arbitrary host filesystem locations, potentially escalating to remote code execution, privilege escalation, or data corruption. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no public exploit identified for active campaigns at time of analysis.

Python Privilege Escalation RCE Denial Of Service Red Hat +1
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.4%
CVE-2022-50971 HIGH POC This Week

Malwarebytes 4.5 contains an unquoted service path vulnerability in the MBAMService executable that allows local attackers to escalate privileges by injecting malicious code into the system root. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Malwarebytes
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2021-47985 HIGH POC This Week

Brother SAPSprint 7.60 contains an unquoted service path vulnerability in the SAPSprint service binary that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Sapsprint
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2020-37254 HIGH POC This Week

Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Pdfelement
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2020-37253 HIGH POC This Week

Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Winstep
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20092 HIGH POC This Week

NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Privilege Escalation Netdrive
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20091 HIGH POC This Week

Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Windows Firewall Control
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20090 HIGH POC This Week

Comodo Dragon Browser versions up to 52.15.25.663 contain a privilege escalation vulnerability in the DragonUpdater service due to an unquoted service path running with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Privilege Escalation Dragon Browser
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20086 HIGH POC This Week

Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Vembu Storegrid
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20085 HIGH POC This Week

Realtek High Definition Audio Driver 6.0.1.6730 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by placing a malicious executable in the service. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Realtek High Definition Audio Driver
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-56142 HIGH PATCH This Week

Privilege escalation in JetBrains Hub (versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429) allows an authenticated attacker to attach additional authentication details to existing accounts, enabling unauthorized access and elevation of privileges. The flaw, self-reported by JetBrains and patched, carries a CVSS 8.8 with high impact to confidentiality, integrity, and availability; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.41%).

Privilege Escalation Hub
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-49252 npm CRITICAL PATCH GHSA Act Now

Prototype pollution in deepstream.io versions prior to 10.0.5 allows an authenticated client with write permission to any record to corrupt the Node.js Object prototype by submitting record-update messages whose path contains tokens such as __proto__, constructor, or prototype. Because deepstream's permission valve and record-transition pipeline both invoke setValue with the attacker-controlled path, polluting the prototype can taint subsequent permission and transition logic and lead to privilege escalation across all connected clients. No public exploit identified at time of analysis, though the upstream commit (54b8e29) and patch tests publicly demonstrate the exact vulnerable path semantics.

Prototype Pollution Privilege Escalation Deepstream Io
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-47833 MEDIUM PATCH This Month

Symlink-following in Cloud Foundry bpm-release's setupBpmLogs function enables a container-to-host confidentiality breach, allowing a compromised low-privileged process inside a bpm container to manipulate root into chowning an arbitrary host file - including /etc/shadow - to the vcap user. All bpm-release versions prior to v1.4.30 are affected. Once ownership of /etc/shadow is taken, the attacker reads every host password hash via bpm's existing read-only /etc bind mount, effectively breaking the container boundary without requiring any user interaction. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and clear exploitation path make this a credible near-term risk.

Privilege Escalation Bpm Release
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-54104 HIGH PATCH HOSTED Monitor

Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows authenticated remote attackers to elevate their privileges by tampering with the client-supplied 'epds_role_id' parameter, which the server accepts without verification. Reported by CISA-CG and tracked as EUVD-2026-37911 with a CVSS 4.0 score of 8.7, no public exploit identified at time of analysis. Both web applications have been patched by their respective government operators.

Privilege Escalation Microsoft Electronic Protest Docketing System Epds Electronic Docketing System Eds
NVD VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-55887 Go HIGH PATCH GHSA This Week

Arbitrary code execution as root on the host running Docker MCP Gateway via argument injection in the `docker run` command line. A malicious OCI image author can craft an `io.docker.server.metadata` label that YAML-unmarshals into runtime-shaping fields of the `catalog.Server` struct, causing the gateway to append attacker-chosen flags like `-v /:/host` and `-u root` when launching the MCP server container. No public exploit identified at time of analysis, but the upstream advisory describes a full exploitation path.

Privilege Escalation RCE Docker
NVD GitHub
CVE-2026-55226 Maven MEDIUM PATCH GHSA This Month

Strimzi Kafka Operator versions 1.0.0 and earlier provision the Entity Operator ServiceAccount with combined RBAC rights for both the Topic Operator and User Operator regardless of which sub-operators are actually enabled in the Kafka custom resource, violating the principle of least privilege. When only one of the two sub-operators is deployed, the overly permissive ServiceAccount can access KafkaUser custom resources and namespace Secrets (when the User Operator is absent) or KafkaTopic custom resources (when the Topic Operator is absent). No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the High confidentiality impact (C:H) due to potential Secret access elevates the urgency of patching.

Privilege Escalation Red Hat
NVD GitHub
CVSS 3.1
5.4
CVE-2026-55225 Maven HIGH PATCH GHSA This Week

Cross-namespace privilege escalation in Strimzi Kafka Operator versions up to 1.0.0 allows tenants with namespace-scoped Kafka custom resource creation rights to read and write Secrets in any namespace where the Cluster Operator has been granted permissions. By abusing the documented `watchedNamespace` field within `Kafka.spec.entityOperator`, an attacker mints a token for the entity operator ServiceAccount in their own namespace and gains full CRUD on Secrets in the target namespace. No public exploit identified at time of analysis, but the attack is mechanically straightforward in any multi-tenant Strimzi deployment.

Privilege Escalation Red Hat
NVD GitHub
CVSS 3.1
8.0
CVE-2026-11958 HIGH PATCH This Week

Local privilege escalation in ANSSI's DFIR-ORC versions 10.2.7 and prior allows a low-privileged local user to gain administrator rights by planting a malicious DLL in C:\Windows\Temp, which the tool loads automatically when extracted and executed from that shared directory. The flaw is a classic uncontrolled search path (CWE-427) issue and was reported by INCIBE; no public exploit identified at time of analysis and the CVE is not in CISA KEV. The vendor has shipped a fix in DFIR-ORC v10.3.0, which adds ACL hardening on extraction directories.

Privilege Escalation Microsoft Dfir Orc
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-48935 LOW PATCH Monitor

Node.js permission model bypass via FileHandle.utimes() allows local low-privilege users to modify file timestamps on paths outside their permitted write scope. Affecting Node.js 26.x before v26.3.1, this flaw is only exploitable when the experimental permission model is explicitly enabled via --experimental-permission, substantially limiting exposure. No public exploit code or active exploitation has been identified at time of analysis, and the vendor-released patch (v26.3.1) is confirmed available as of 2026-06-18.

Privilege Escalation Node Js
NVD GitHub VulDB
CVSS 3.0
3.3
EPSS
0.1%
CVE-2026-12505 HIGH This Week

Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusing the kernel request_key interface to load a malicious NSS module inside an attacker-controlled mount namespace. The root-owned helper fails to drop privileges before performing user-name resolution, so the attacker's NSS module executes with full root capabilities. No public exploit identified at time of analysis, but the bug affects every supported Red Hat Enterprise Linux release (6 through 10) and OpenShift Container Platform 4, making it a high-priority hardening fix for any host with CIFS/SMB client functionality.

Privilege Escalation Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-50201 NuGet MEDIUM PATCH GHSA This Month

Sensitive actuator endpoints in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore expose heap dumps, environment variables, and thread dumps to low-trust Cloud Foundry roles (Space Auditors) due to incorrect default permission levels. Affected versions inherit the base class default of EndpointPermissions.Restricted - which maps to CF's read_basic_data scope - rather than overriding to EndpointPermissions.Full (read_sensitive_data), the permission level Spring Boot's equivalent integration correctly enforces. No public exploit code or KEV listing exists at time of analysis; however, the CVSS PR:L rating reflects that any valid CF credential with Space Auditor privileges is sufficient to reach the affected endpoints.

Privilege Escalation Java Steeltoe Management Endpoint Steeltoe Management Endpointbase
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48821 MEDIUM This Month

DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScript in an administrator's browser session when thumbnail synchronization is triggered. Versions 0.16.1 and prior are affected; the root cause is unsanitized innerHTML injection in thumbnails-update.js after the backend's ThumbnailsController::ajaxUpdate returns raw, unescaped bookmark titles via AJAX. Successful exploitation can lead to session hijacking, privilege escalation, and backdoor injection against administrator accounts. No public exploit or KEV listing is confirmed at time of analysis; a vendor patch is available in v0.16.2.

Privilege Escalation XSS Shaarli
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-55201 HIGH PATCH This Week

Path traversal in Evil-WinRM through 3.9 lets a malicious or compromised remote Windows server overwrite arbitrary files on the operator's client machine when the user invokes the download_dir() function. Because Evil-WinRM is the offensive operator's tool, this inverts the trust model - the 'target' Windows host becomes the attacker and the red teamer or admin running Evil-WinRM becomes the victim, with realistic outcomes including persistent SSH access via overwritten authorized_keys. No public exploit identified at time of analysis, but a public upstream patch (commit 6ecd570) discloses the exact unsanitized File.join() sink.

Path Traversal Privilege Escalation Microsoft Evil Winrm
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-55518 Ruby CRITICAL PATCH GHSA Act Now

Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.

Python CSRF Information Disclosure Privilege Escalation Authentication Bypass
NVD GitHub
CVSS 3.1
9.6
CVE-2026-53870 PyPI MEDIUM PATCH This Month

Insecure default file permissions (mode 0o644) in Hermes Agent before v0.16.0 expose two sensitive data files - response_store.db and webhook_subscriptions.json - to any local user on the host system, enabling direct extraction of conversation history, tool payloads, prompts, and per-route HMAC webhook secrets. Any locally authenticated user on the same host can read these files without elevated privileges. HMAC secret exposure is particularly severe because it enables forging authenticated webhook requests, extending impact beyond passive information disclosure into potential privilege escalation - consistent with the 'Privilege Escalation' tag in the intelligence record. No public exploit has been identified at time of analysis, and this is not currently listed in CISA KEV.

Privilege Escalation Information Disclosure Hermes Agent
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-20246 MEDIUM This Month

Privilege escalation in the Cisco Umbrella Virtual Appliance vmadmin CLI enables an authenticated local attacker holding vmadmin-level credentials to elevate access to root on the affected device. The flaw, classified as CWE-269 (Improper Privilege Management), arises because the vmadmin CLI does not adequately validate or restrict specific commands that can be leveraged as a privilege escalation path. No public exploit code has been identified and the CVE is not listed in the CISA KEV catalog at time of analysis; the CVSS 6.0 Medium score reflects the high-privilege prerequisite that meaningfully constrains the realistic attacker pool.

Cisco Privilege Escalation Cisco Umbrella Insights Virtual Appliance
NVD VulDB
CVSS 3.1
6.0
EPSS
0.1%
CVE-2026-54325 npm MEDIUM PATCH GHSA This Month

Implicit execution of untrusted repository-controlled TypeScript/JavaScript extensions in Pi coding agent (npm package @earendil-works/pi-coding-agent) before 0.79.0 allows an attacker who controls a repository to execute arbitrary code with the victim user's full process privileges. Pi's startup path auto-loaded project-local extensions from a repository's .pi directory - including executable TypeScript/JavaScript modules - without any trust gate or user prompt, meaning a developer who cloned and ran Pi in a malicious repository would silently execute attacker-supplied extension code. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack class (supply-chain / repository-as-malware-delivery) is highly relevant to developer tooling security.

Privilege Escalation
NVD GitHub
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-54328 npm HIGH PATCH GHSA This Week

Local privilege escalation in the Pi coding agent (npm packages @earendil-works/pi-coding-agent 0.74.0-0.78.0 and @mariozechner/pi-coding-agent 0.50.0-0.73.1) allows a co-resident attacker on a shared Linux host to pre-stage attacker-controlled extension code in a predictable `os.tmpdir()/pi-extensions` path that pi later loads as the victim user. No public exploit identified at time of analysis, but the issue was reported by CrowdStrike researchers and patched in 0.78.1 of the renamed package. Affects shared dev boxes, CI runners, and HPC login nodes; Windows/macOS default per-user temp directories typically avoid exposure.

Microsoft Apple Crowdstrike Privilege Escalation RCE +2
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-11858 HIGH This Week

Local privilege escalation in Quanos SCHEMA ST4 on-premises allows low-privileged authenticated Windows users to obtain SYSTEM-level code execution by abusing the Client Update Service. The service exposes a .NET Remoting endpoint over a named pipe with missing authorization checks (CWE-862), letting any local user invoke privileged Update() methods that perform arbitrary file write/delete as NT AUTHORITY\SYSTEM. No public exploit identified at time of analysis, but technical details were disclosed by SEC Consult (SEC-VLab).

Privilege Escalation Authentication Bypass Schema St4
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-11857 HIGH This Week

Local privilege escalation in Quanos SCHEMA ST4 on-premises allows an authenticated local user to gain NT AUTHORITY\SYSTEM by abusing insecure .NET Remoting deserialization in the Client Update Service. The endpoint, reachable through a local named pipe with TypeFilterLevel.Full, accepts attacker-controlled serialized objects and yields arbitrary code execution in the update process context. No public exploit identified at time of analysis, though a SEC-Consult/SEC-VLab advisory documents the issue.

Privilege Escalation Deserialization RCE Schema St4
NVD
CVSS 4.0
8.4
EPSS
0.3%
CVE-2026-54807 CRITICAL Act Now

Unauthenticated privilege escalation in the ThemeGrill Registration Form for WooCommerce WordPress plugin (versions <= 1.0.9) allows remote attackers to elevate privileges without credentials, potentially gaining administrative control over the WordPress site. With a CVSS of 9.8 and no public exploit identified at time of analysis, the flaw is reported by Patchstack and tagged as a Privilege Escalation issue in the WordPress plugin ecosystem.

Privilege Escalation WordPress Registration Form For Woocommerce
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-54805 HIGH This Week

Privilege escalation in the Falang Multilanguage WordPress plugin (versions <= 1.4.2) allows authenticated low-privileged users (Subscriber role) to elevate their permissions on affected sites. The flaw is rooted in improper privilege management (CWE-266) and carries a CVSS 3.1 score of 8.8 with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Privilege Escalation Falang Multilanguage
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-54803 CRITICAL Act Now

Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4 and earlier allows low-privileged users - specifically Subscriber-level accounts - to elevate their permissions on the WordPress site. Patchstack catalogued this as an authorization/authentication-bypass class issue (CWE-863). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Authentication Bypass Sms Alert Order Notifications
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-54196 MEDIUM This Month

Privilege escalation in JetFormBuilder WordPress plugin versions 3.6.1 and earlier allows authenticated subscribers to elevate their role to a higher-privileged level within the WordPress instance. The root cause is incorrect privilege assignment (CWE-266) in the plugin's form processing logic, enabling the lowest authenticated WordPress user role to gain unauthorized administrative or elevated access. No public exploit code or confirmed active exploitation has been identified at time of analysis; CVSS reflects high confidentiality and integrity impact if the high-complexity exploitation conditions are satisfied.

Privilege Escalation Jetformbuilder
NVD VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-49058 CRITICAL Act Now

Unauthenticated privilege escalation in LoginPress Pro WordPress plugin versions 6.2.2 and earlier allows remote attackers without credentials to elevate privileges on affected WordPress sites. Reported by Patchstack with a CVSS 9.8 critical rating, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and no public exploit identified at time of analysis. Given the plugin's role in customizing WordPress login flows, a successful attacker could obtain administrator-level access to the underlying site.

Privilege Escalation Loginpress Pro
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-39546 HIGH This Week

Privilege escalation in TechSpawn MultiLoca (WooCommerce Multi Locations Inventory Management) plugin versions 4.2.15 and earlier allows authenticated subscriber-level users to elevate their privileges within affected WordPress sites. The flaw, classified under CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.6 score with no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress installations running the plugin for WooCommerce multi-location inventory management.

Privilege Escalation Multiloca
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2025-69179 CRITICAL Act Now

Privilege escalation in the Support Ticket Management System WordPress plugin (versions 1.9 and earlier) by Theme Passion allows remote unauthenticated attackers to elevate privileges on affected WordPress sites. With a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and is tracked in the Patchstack database. Successful exploitation likely yields administrator-level access to the WordPress instance, enabling full site takeover.

Privilege Escalation Support Ticket Management System
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-69138 HIGH This Week

Privilege escalation in the Genemy WordPress theme versions 1.6.6 and earlier allows authenticated subscriber-level users to elevate their privileges to higher roles, gaining administrative control over affected WordPress sites. The flaw, reported by Patchstack and tracked under CWE-266 (Incorrect Privilege Assignment), affects all installations using the jthemes Genemy theme up to and including 1.6.6, and no public exploit identified at time of analysis. Given the low attack complexity and minimal authentication requirement (any subscriber account), this represents a high-impact issue for any WordPress site running the affected theme with open user registration.

Privilege Escalation Genemy
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-59563 HIGH This Week

Privilege escalation in the Sonaar WordPress theme through version 4.27.4 allows an authenticated low-privileged user (Subscriber role) to elevate their permissions, gaining administrative control over the WordPress site. The flaw is categorized as CWE-266 (Incorrect Privilege Assignment) and was disclosed via Patchstack; no public exploit identified at time of analysis, but the low attacker prerequisites (any Subscriber account, which is often self-registerable on WordPress sites) make this a meaningful risk for affected installations.

Privilege Escalation Sonaar
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-12165 HIGH This Week

Privilege escalation in the Contest Gallery WordPress plugin (versions ≤ 30.0.2) allows authenticated Contributor/Author-level users to overwrite the stored RegistryUserRole option to 'administrator', causing newly registered Google sign-in accounts to be promoted to Administrator. The flaw was disclosed by Wordfence and stems from a missing capability check in the option-saving handler; no public exploit identified at time of analysis.

Privilege Escalation PHP Google WordPress Contest Gallery Upload Vote Photos Media Sell With Paypal Stripe
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-0063 CRITICAL Act Now

Local privilege escalation in Google Android's telephony subsystem (PhoneInterfaceManager) allows attackers to disable carrier restrictions without any user interaction or additional execution privileges. The flaw stems from a logic error in the setAllowedCarriers handler and is addressed in the Android Security Bulletin for Android 17. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Privilege Escalation
NVD VulDB
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-28615 CRITICAL Act Now

Local privilege escalation in Google Android's Telecomm component allows applications to initiate unauthorized phone calls by bypassing permission checks, with no user interaction required. The flaw is reported through the Android Security Bulletin for Android 17 and carries a CVSS 4.0 score of 10.0, though no public exploit identified at time of analysis. Despite the network-vector CVSS rating, the description characterizes this as local escalation of privilege, suggesting realistic exploitation requires a malicious app already installed on the device.

Privilege Escalation Authentication Bypass
NVD VulDB
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-0083 CRITICAL Act Now

Local privilege escalation in Google Android's NFC subsystem stems from a use-after-free condition in Nfc::eventCallback() within Nfc.h, triggerable via a race condition without user interaction or additional execution privileges. Affected devices covered by the Android Security Bulletin for Android 17 can have an unprivileged local process win the race and elevate to higher-privileged context. No public exploit identified at time of analysis; the vulnerability was disclosed by Google through the Android security bulletin process.

Privilege Escalation Denial Of Service Race Condition
NVD VulDB
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-0082 CRITICAL Act Now

Local privilege escalation in Google Android's NFC subsystem allows unprivileged local apps to gain special app access permissions without user interaction, due to an insecure default value in NfcDispatcher.tryStartActivity. Affected Android builds are covered by the Android Security Bulletin (android-17 reference). No public exploit identified at time of analysis; tagged as Privilege Escalation by the Android reporter.

Privilege Escalation
NVD VulDB
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-0081 CRITICAL Act Now

Local privilege escalation in Google Android's NFC subsystem allows an unprivileged local app to spoof NFC events because of a missing permission check, granting capabilities normally reserved for privileged components. No user interaction is required, and no public exploit has been identified at time of analysis, though the issue is tracked in the Android Security Bulletin for Android 17. Despite the CVSS 4.0 vector encoding AV:N, the description clearly describes a local Android attack surface.

Privilege Escalation Authentication Bypass
NVD
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-0071 CRITICAL Act Now

Local privilege escalation in Android's SettingsLib component stems from a missing permission check caused by a logic error, allowing on-device attackers to elevate privileges without user interaction or additional execution rights. No public exploit identified at time of analysis, and the issue is addressed in the Android Security Bulletin for Android 17. The CVSS 4.0 vector supplied (AV:N) conflicts with the description's 'local escalation' wording and should be treated as a discrepancy.

Privilege Escalation Authentication Bypass
NVD VulDB
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-0092 CRITICAL Act Now

Local privilege escalation in Google Android's Package Manager allows on-device attackers to bypass the device lock controller due to a missing permission check, with no user interaction required. The flaw, disclosed in the Android Security Bulletin for Android 17, carries a vendor CVSS 4.0 score of 10.0 but is described as a local escalation. No public exploit identified at time of analysis.

Privilege Escalation Authentication Bypass
NVD
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-0068 CRITICAL Act Now

Local privilege escalation in Android's PackageInstallerService allows a malicious app to remove a Device Policy Controller (DPC) from a managed device without Device Owner consent, breaking the enterprise management boundary. The flaw stems from a desynchronization between in-memory state and persisted state in createSessionInternal, and no public exploit has been identified at time of analysis. User interaction is required, but no additional execution privileges are needed beyond installing the malicious app.

Privilege Escalation Race Condition
NVD VulDB
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-0019 HIGH This Week

In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-48643 HIGH This Week

Local privilege escalation in Google Android 17 stems from improper input validation across multiple code paths that allows a low-privileged app or local user to bypass provisioning controls and gain elevated privileges without user interaction. No public exploit identified at time of analysis, and the EPSS score of 0.13% (3rd percentile) reflects no observed exploitation activity, though the CVSS 7.8 reflects the high impact once preconditions are met.

Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-48640 HIGH This Week

In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Authentication Bypass
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-48617 HIGH This Week

In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Authentication Bypass
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-15642 MEDIUM PATCH This Month

Tamper Protection bypass in Netskope Client for Windows allows a malicious local administrator to disable or subvert the endpoint security agent by directly manipulating the Windows service object and associated registry keys, which are protected by overly permissive Discretionary Access Control Lists. All Netskope Client versions below R138 on Windows are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the gap is operationally significant in environments where insider threat, post-compromise lateral movement, or separation of duties between IT admins and security tooling are concerns.

Privilege Escalation Microsoft Netskope Client
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-12449 HIGH PATCH This Week

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)

Google Microsoft Use After Free Privilege Escalation Memory Corruption +3
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12448 HIGH PATCH This Week

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Google Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-54321 Go HIGH PATCH GHSA This Week

Stale authorization caching in Daytona's preview proxy allows unauthenticated access to sandbox previews for a bounded window after their owner switches visibility from public back to private. The flaw affects versions 0.101.0 through 0.183.0 and is limited to ordinary preview ports - terminal, toolbox, and recording-dashboard ports remained protected. No public exploit identified at time of analysis, and the GitHub advisory tags suggesting RCE/Privilege Escalation contradict the advisory's own impact statement, which explicitly rules both out.

Privilege Escalation RCE
NVD GitHub
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-27395 CRITICAL PATCH Act Now

Unauthenticated privilege escalation in the Support Board WordPress plugin (versions prior to 3.8.9) allows remote attackers with no credentials to elevate privileges on affected WordPress sites. The flaw was reported by Patchstack and is tied to CWE-266 (Incorrect Privilege Assignment), with a critical CVSS 3.1 base score of 9.8 reflecting network-reachable, low-complexity exploitation. No public exploit identified at time of analysis, but the unauthenticated nature and plugin's customer-support role make this a high-priority patch for any WordPress site running it.

Privilege Escalation Support Board
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46970 HIGH This Week

Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by an authenticated high-privileged attacker over HTTP. Successful exploitation results in takeover of the HR Intelligence application with confidentiality, integrity, and availability impact (CVSS 3.1 base 7.2). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Oracle Hr Intelligence Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46958 HIGH This Week

Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by a low-privileged remote attacker leveraging HTTP. The flaw yields full confidentiality, integrity, and availability impact (CVSS 7.5) but is rated high attack complexity, so reliable exploitation is non-trivial. No public exploit identified at time of analysis, and the issue is not listed on CISA KEV.

Oracle Oracle Subledger Accounting Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46953 HIGH This Week

Full takeover of Oracle HRMS (UK) - the UK Payroll component of Oracle E-Business Suite versions 12.2.3 through 12.2.15 - is possible by an already-authenticated, highly privileged attacker over HTTP, leading to complete loss of confidentiality, integrity, and availability of the HRMS application. Oracle classifies the issue as easily exploitable but the PR:H requirement narrows the realistic attacker pool to insiders and compromised admin accounts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Oracle Hrms Uk Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46942 HIGH This Week

Takeover of Oracle Process Manufacturing Process Planning (versions 12.2.3 through 12.2.15) is achievable by a low-privileged remote attacker over HTTP through the Internal Operations component of Oracle E-Business Suite. The flaw carries a CVSS 3.1 base score of 8.8 with full confidentiality, integrity, and availability impact, and Oracle has classified it as easily exploitable. There is no public exploit identified at time of analysis, but the low complexity and minimal authentication threshold make it a high-priority patching target for any EBS deployment.

Oracle Oracle Process Manufacturing Process Planning Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46940 HIGH This Week

Remote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, yielding full compromise of confidentiality, integrity, and availability (CVSS 8.8). The advisory was published in Oracle's June 2026 Critical Patch Update and no public exploit identified at time of analysis. Because the EBS Cost Management module is commonly reachable from internal corporate networks by any authenticated EBS user, the low privilege requirement (PR:L) makes this a credible insider/post-foothold escalation path rather than an unauthenticated internet risk.

Oracle Oracle Cost Management Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46937 HIGH This Week

Account takeover of Oracle iSetup (component of Oracle E-Business Suite 12.2.3 through 12.2.15) is achievable by a low-privileged authenticated attacker reaching the General Ledger Update Transform / Reports component over HTTP. The flaw is rated CVSS 8.8 with full confidentiality, integrity, and availability impact, and no public exploit has been identified at time of analysis. Oracle published the fix in the June 2026 Critical Patch Update.

Oracle Oracle Isetup Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46934 HIGH This Week

Takeover of Oracle Complex Maintenance, Repair and Overhaul (CMRO) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the Internal Operations component. Oracle's June 2026 Critical Patch Update advisory documents the issue with a CVSS 3.1 base score of 7.5 and high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the vulnerability is rated difficult to exploit due to high attack complexity.

Oracle Oracle Complex Maintenance Repair And Overhaul Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46914 HIGH NEWS This Week

Local privilege abuse in Oracle Solaris 11.4 allows a low-privileged authenticated user with logon access to the host to read sensitive filesystem data and trigger a complete denial of service of the operating system. Oracle's June 2026 Critical Patch Update lists this as easily exploitable through the Filesystem component, with a CVSS 3.1 base score of 7.1; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Authentication Bypass Oracle Oracle Solaris Privilege Escalation
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-46893 CRITICAL Act Now

Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.

Oracle Jd Edwards Enterpriseone General Ledger Privilege Escalation
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46885 HIGH This Week

Account takeover of the Siebel CRM Integration component (EAI) in Oracle Siebel CRM versions 17.0 through 26.5 allows a low-privileged remote attacker with HTTP network access to fully compromise the integration component, impacting confidentiality, integrity, and availability. Oracle rates this 'easily exploitable' with CVSS 3.1 score 8.8, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Oracle Siebel Crm Integration Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46877 MEDIUM This Month

The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.

Authentication Bypass Oracle Oracle Vm Virtualbox Privilege Escalation
NVD VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-46873 HIGH This Week

Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Oracle Vm Virtualbox Privilege Escalation
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46867 HIGH This Week

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Extensibility Framework component, enabling an authenticated high-privilege attacker with HTTPS network access to fully compromise confidentiality, integrity, and availability of the management platform. The vendor (Oracle) advisory rates the issue at CVSS 3.1 7.2, and no public exploit identified at time of analysis, but successful exploitation yields complete product takeover. EPSS and CISA KEV signals are not provided in the input data.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46852 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata Plugin component, allowing a low-privileged remote attacker over HTTPS to fully compromise the platform with a scope change that impacts additional products. The CVSS 3.1 base score of 9.9 reflects the broad confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46804 HIGH This Week

Cross-tenant data compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a low-privileged authenticated attacker to coerce another user into an interaction that yields unauthorized read, create, modify, or delete access to all WebCenter Content data, with a scope change extending impact to additional Oracle Fusion Middleware products. Disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.7; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Webcenter Content Privilege Escalation
NVD
CVSS 3.1
8.7
EPSS
0.4%
CVE-2026-46794 CRITICAL Act Now

Privilege escalation to full takeover in Oracle Identity Manager Connector (Fusion Middleware) allows a low-privileged remote attacker with SSH network access to compromise the Generic Unix Connector and pivot into additional Fusion Middleware components via a CVSS scope change. Versions 12.2.1.4.0 and 14.1.2.1.0 are affected, with Oracle rating the issue 9.9 due to high confidentiality, integrity, and availability impact across product boundaries. No public exploit identified at time of analysis, but the AV:N/AC:L profile and SSH-reachable attack surface make this a high-priority Oracle CPU item.

Oracle Identity Manager Connector Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35291 MEDIUM This Month

Full server takeover is possible in Oracle WebLogic Server's Console component, affecting versions 14.1.2.0.0 and 15.1.1.0.0 via HTTP over a network. Exploitation requires a high-privileged attacker and high attack complexity, limiting the realistic threat surface to scenarios where administrative credentials are already compromised or an insider threat is present. No public exploit code and no CISA KEV listing have been identified at the time of analysis; this was disclosed as part of Oracle's Critical Patch Update (CPU) for June 2026.

Oracle Weblogic Server Privilege Escalation
NVD VulDB
CVSS 3.1
6.6
EPSS
0.4%
CVE-2026-35288 HIGH This Week

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-35272 HIGH This Week

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, where an unauthenticated attacker with logon access to the underlying host can take over the PeopleTools instance. Oracle rates this 8.4 CVSS with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. The local attack vector keeps remote internet-based mass exploitation unlikely, but any user who can log on to the PeopleTools server should be treated as a critical risk.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-0161 HIGH This Week

In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow Memory Corruption
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0153 HIGH This Week

In Write of msg_to_host_buffer.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow
NVD
CVSS 3.1
7.8
EPSS
0.1%
EPSS 3% CVSS 5.5
MEDIUM PATCH This Month

World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Microsoft Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation in ArubaSign prior to v4.6.6 stems from overly permissive ACLs applied at installation, granting the 'Everyone' group write access to the main executable and supporting files under C:\Program Files. An unprivileged local user can swap these binaries for malicious payloads that subsequently execute under the privileges of any user (potentially Administrator or SYSTEM) who later launches the application. No public exploit identified at time of analysis and the issue is not on CISA KEV.

RCE Privilege Escalation Arubasign
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.

Privilege Escalation WordPress Vitepos
NVD WPScan VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows authenticated Supabase users to manipulate billing data for arbitrary organizations by invoking the public.apply_usage_overage SECURITY DEFINER function via RPC. The function executes with owner privileges and skips auth.uid(), org membership, and check_min_rights validation, bypassing Row Level Security and enabling fraudulent overage insertion or credit depletion across tenants. No public exploit identified at time of analysis, but vendor and VulnCheck have published advisories and a patched release.

Privilege Escalation Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Privilege escalation in LiquidFiles before 4.2.12 allows an authenticated Admin of a secondary (non-default) domain to elevate to full Sysadmin access by manipulating group settings within their managed secondary domain group. This broken access control flaw (CWE-285) collapses the authorization boundary between domain-scoped Admin and system-wide Sysadmin roles, granting an attacker complete platform control. No public exploitation has been confirmed in CISA KEV, but a public proof-of-concept is available from Project Black (PRJBLK), meaningfully elevating real-world risk above what the 5.9 CVSS score alone suggests.

Privilege Escalation Authentication Bypass Liquidfiles
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated account takeover in the Branda (white-labeling) plugin for WordPress through version 3.4.29 allows remote attackers to reset arbitrary user passwords, including administrators, by abusing a password update flow that fails to verify the requester's identity. Wordfence-reported flaw is tracked as CVE-2026-11551 with a CVSS 9.8; no public exploit identified at time of analysis, but the trivial exploitability of the vulnerable signup-password module makes weaponization straightforward once the patched code is diffed.

Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows holders of app-limited API keys to mint new unrestricted keys via the POST /functions/v1/apikey endpoint by submitting empty limit fields. The flaw effectively bypasses the API key scoping model, granting org-wide access to app listings and other protected resources from any compromised low-privilege key. No public exploit identified at time of analysis, but a vendor advisory (GHSA-2ff8-7h96-hwfp) and a VulnCheck writeup confirm the issue.

Privilege Escalation Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Authentication logic bypass in Capgo before 12.128.2 permits a team or organization security settings manager to enforce mandatory two-factor authentication across all team members without having 2FA active on their own account. The platform never validates the initiator's own 2FA enrollment state before committing the policy change, creating an asymmetric enforcement condition where the policy creator is effectively exempt from the mandate they impose. No public exploit code has been identified and Capgo is not listed in the CISA Known Exploited Vulnerabilities catalog; the CVSS 4.0 score of 5.1 (PR:H) reflects that exploitation is constrained to already-privileged insiders.

Privilege Escalation Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Azure Synapse (the cloud analytics service) allows an already-authorized, low-privileged attacker to elevate their privileges over the network, gaining high confidentiality, integrity, and availability impact (CVSS 8.8). The root cause is a component executing with unnecessary privileges (CWE-250), letting a tenant or workspace user with limited rights break out to a higher trust level. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.50%), with CISA SSVC marking exploitation status as 'none.'

Privilege Escalation Microsoft Azure Synapse
NVD VulDB
CVSS 7.5
HIGH PATCH This Week

Prototype pollution in the npm package flat-to-nested (versions <= 1.1.1) lets attackers who control input records pollute Object.prototype by supplying a record with parent set to the string '__proto__'. The convert() function uses plain objects as lookup tables and writes attacker-controlled data through the prototype chain via initPush(), affecting any application that feeds untrusted flat records (REST input, DB rows, user-supplied data) into the library. No CISA KEV listing and no public exploit identified at time of analysis beyond the proof-of-concept embedded in the GitHub Security Advisory.

Privilege Escalation Denial Of Service
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Command injection in the @cyclonedx/cyclonedx-npm SBOM generator (versions >= 2.1.0, < 5.0.0) lets an attacker who controls the value passed to the --workspace CLI option execute arbitrary OS commands when the npm_execpath environment variable is unset or empty. In that fallback path the tool spawns a subshell and interpolates the workspace value into a command string without escaping, so shell metacharacters break out of the intended context and run with the invoking user's privileges. No public exploit identified at time of analysis, though the vendor fix PR ships a proof-of-concept-style regression test; the issue is not listed in CISA KEV and no EPSS score was provided.

Privilege Escalation Command Injection Node.js
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Arbitrary file write in py7zr versions 1.1.0 through 1.1.2 allows attackers to escape the destination directory during archive extraction by chaining malicious symbolic links that resolve outside the target path. A victim who calls extractall() on a crafted 7z archive can have files written to arbitrary host filesystem locations, potentially escalating to remote code execution, privilege escalation, or data corruption. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no public exploit identified for active campaigns at time of analysis.

Python Privilege Escalation RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Malwarebytes 4.5 contains an unquoted service path vulnerability in the MBAMService executable that allows local attackers to escalate privileges by injecting malicious code into the system root. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Malwarebytes
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Brother SAPSprint 7.60 contains an unquoted service path vulnerability in the SAPSprint service binary that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Sapsprint
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Pdfelement
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Winstep
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Privilege Escalation Netdrive
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Windows Firewall Control
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH POC This Week

Comodo Dragon Browser versions up to 52.15.25.663 contain a privilege escalation vulnerability in the DragonUpdater service due to an unquoted service path running with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Privilege Escalation Dragon Browser
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH POC This Week

Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Vembu Storegrid
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH POC This Week

Realtek High Definition Audio Driver 6.0.1.6730 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by placing a malicious executable in the service. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Realtek High Definition Audio Driver
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in JetBrains Hub (versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429) allows an authenticated attacker to attach additional authentication details to existing accounts, enabling unauthorized access and elevation of privileges. The flaw, self-reported by JetBrains and patched, carries a CVSS 8.8 with high impact to confidentiality, integrity, and availability; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.41%).

Privilege Escalation Hub
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Prototype pollution in deepstream.io versions prior to 10.0.5 allows an authenticated client with write permission to any record to corrupt the Node.js Object prototype by submitting record-update messages whose path contains tokens such as __proto__, constructor, or prototype. Because deepstream's permission valve and record-transition pipeline both invoke setValue with the attacker-controlled path, polluting the prototype can taint subsequent permission and transition logic and lead to privilege escalation across all connected clients. No public exploit identified at time of analysis, though the upstream commit (54b8e29) and patch tests publicly demonstrate the exact vulnerable path semantics.

Prototype Pollution Privilege Escalation Deepstream Io
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Symlink-following in Cloud Foundry bpm-release's setupBpmLogs function enables a container-to-host confidentiality breach, allowing a compromised low-privileged process inside a bpm container to manipulate root into chowning an arbitrary host file - including /etc/shadow - to the vcap user. All bpm-release versions prior to v1.4.30 are affected. Once ownership of /etc/shadow is taken, the attacker reads every host password hash via bpm's existing read-only /etc bind mount, effectively breaking the container boundary without requiring any user interaction. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and clear exploitation path make this a credible near-term risk.

Privilege Escalation Bpm Release
NVD
EPSS 0% CVSS 8.7
HIGH PATCH HOSTED Monitor

Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows authenticated remote attackers to elevate their privileges by tampering with the client-supplied 'epds_role_id' parameter, which the server accepts without verification. Reported by CISA-CG and tracked as EUVD-2026-37911 with a CVSS 4.0 score of 8.7, no public exploit identified at time of analysis. Both web applications have been patched by their respective government operators.

Privilege Escalation Microsoft Electronic Protest Docketing System Epds +1
NVD VulDB
HIGH PATCH This Week

Arbitrary code execution as root on the host running Docker MCP Gateway via argument injection in the `docker run` command line. A malicious OCI image author can craft an `io.docker.server.metadata` label that YAML-unmarshals into runtime-shaping fields of the `catalog.Server` struct, causing the gateway to append attacker-chosen flags like `-v /:/host` and `-u root` when launching the MCP server container. No public exploit identified at time of analysis, but the upstream advisory describes a full exploitation path.

Privilege Escalation RCE Docker
NVD GitHub
CVSS 5.4
MEDIUM PATCH This Month

Strimzi Kafka Operator versions 1.0.0 and earlier provision the Entity Operator ServiceAccount with combined RBAC rights for both the Topic Operator and User Operator regardless of which sub-operators are actually enabled in the Kafka custom resource, violating the principle of least privilege. When only one of the two sub-operators is deployed, the overly permissive ServiceAccount can access KafkaUser custom resources and namespace Secrets (when the User Operator is absent) or KafkaTopic custom resources (when the Topic Operator is absent). No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the High confidentiality impact (C:H) due to potential Secret access elevates the urgency of patching.

Privilege Escalation Red Hat
NVD GitHub
CVSS 8.0
HIGH PATCH This Week

Cross-namespace privilege escalation in Strimzi Kafka Operator versions up to 1.0.0 allows tenants with namespace-scoped Kafka custom resource creation rights to read and write Secrets in any namespace where the Cluster Operator has been granted permissions. By abusing the documented `watchedNamespace` field within `Kafka.spec.entityOperator`, an attacker mints a token for the entity operator ServiceAccount in their own namespace and gains full CRUD on Secrets in the target namespace. No public exploit identified at time of analysis, but the attack is mechanically straightforward in any multi-tenant Strimzi deployment.

Privilege Escalation Red Hat
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in ANSSI's DFIR-ORC versions 10.2.7 and prior allows a low-privileged local user to gain administrator rights by planting a malicious DLL in C:\Windows\Temp, which the tool loads automatically when extracted and executed from that shared directory. The flaw is a classic uncontrolled search path (CWE-427) issue and was reported by INCIBE; no public exploit identified at time of analysis and the CVE is not in CISA KEV. The vendor has shipped a fix in DFIR-ORC v10.3.0, which adds ACL hardening on extraction directories.

Privilege Escalation Microsoft Dfir Orc
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Node.js permission model bypass via FileHandle.utimes() allows local low-privilege users to modify file timestamps on paths outside their permitted write scope. Affecting Node.js 26.x before v26.3.1, this flaw is only exploitable when the experimental permission model is explicitly enabled via --experimental-permission, substantially limiting exposure. No public exploit code or active exploitation has been identified at time of analysis, and the vendor-released patch (v26.3.1) is confirmed available as of 2026-06-18.

Privilege Escalation Node Js
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusing the kernel request_key interface to load a malicious NSS module inside an attacker-controlled mount namespace. The root-owned helper fails to drop privileges before performing user-name resolution, so the attacker's NSS module executes with full root capabilities. No public exploit identified at time of analysis, but the bug affects every supported Red Hat Enterprise Linux release (6 through 10) and OpenShift Container Platform 4, making it a high-priority hardening fix for any host with CIFS/SMB client functionality.

Privilege Escalation Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +4
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Sensitive actuator endpoints in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore expose heap dumps, environment variables, and thread dumps to low-trust Cloud Foundry roles (Space Auditors) due to incorrect default permission levels. Affected versions inherit the base class default of EndpointPermissions.Restricted - which maps to CF's read_basic_data scope - rather than overriding to EndpointPermissions.Full (read_sensitive_data), the permission level Spring Boot's equivalent integration correctly enforces. No public exploit code or KEV listing exists at time of analysis; however, the CVSS PR:L rating reflects that any valid CF credential with Space Auditor privileges is sufficient to reach the affected endpoints.

Privilege Escalation Java Steeltoe Management Endpoint +1
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM This Month

DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScript in an administrator's browser session when thumbnail synchronization is triggered. Versions 0.16.1 and prior are affected; the root cause is unsanitized innerHTML injection in thumbnails-update.js after the backend's ThumbnailsController::ajaxUpdate returns raw, unescaped bookmark titles via AJAX. Successful exploitation can lead to session hijacking, privilege escalation, and backdoor injection against administrator accounts. No public exploit or KEV listing is confirmed at time of analysis; a vendor patch is available in v0.16.2.

Privilege Escalation XSS Shaarli
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Path traversal in Evil-WinRM through 3.9 lets a malicious or compromised remote Windows server overwrite arbitrary files on the operator's client machine when the user invokes the download_dir() function. Because Evil-WinRM is the offensive operator's tool, this inverts the trust model - the 'target' Windows host becomes the attacker and the red teamer or admin running Evil-WinRM becomes the victim, with realistic outcomes including persistent SSH access via overwritten authorized_keys. No public exploit identified at time of analysis, but a public upstream patch (commit 6ecd570) discloses the exact unsanitized File.join() sink.

Path Traversal Privilege Escalation Microsoft +1
NVD GitHub VulDB
CVSS 9.6
CRITICAL PATCH Act Now

Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.

Python CSRF Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Insecure default file permissions (mode 0o644) in Hermes Agent before v0.16.0 expose two sensitive data files - response_store.db and webhook_subscriptions.json - to any local user on the host system, enabling direct extraction of conversation history, tool payloads, prompts, and per-route HMAC webhook secrets. Any locally authenticated user on the same host can read these files without elevated privileges. HMAC secret exposure is particularly severe because it enables forging authenticated webhook requests, extending impact beyond passive information disclosure into potential privilege escalation - consistent with the 'Privilege Escalation' tag in the intelligence record. No public exploit has been identified at time of analysis, and this is not currently listed in CISA KEV.

Privilege Escalation Information Disclosure Hermes Agent
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Privilege escalation in the Cisco Umbrella Virtual Appliance vmadmin CLI enables an authenticated local attacker holding vmadmin-level credentials to elevate access to root on the affected device. The flaw, classified as CWE-269 (Improper Privilege Management), arises because the vmadmin CLI does not adequately validate or restrict specific commands that can be leveraged as a privilege escalation path. No public exploit code has been identified and the CVE is not listed in the CISA KEV catalog at time of analysis; the CVSS 6.0 Medium score reflects the high-privilege prerequisite that meaningfully constrains the realistic attacker pool.

Cisco Privilege Escalation Cisco Umbrella Insights Virtual Appliance
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Implicit execution of untrusted repository-controlled TypeScript/JavaScript extensions in Pi coding agent (npm package @earendil-works/pi-coding-agent) before 0.79.0 allows an attacker who controls a repository to execute arbitrary code with the victim user's full process privileges. Pi's startup path auto-loaded project-local extensions from a repository's .pi directory - including executable TypeScript/JavaScript modules - without any trust gate or user prompt, meaning a developer who cloned and ran Pi in a malicious repository would silently execute attacker-supplied extension code. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack class (supply-chain / repository-as-malware-delivery) is highly relevant to developer tooling security.

Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in the Pi coding agent (npm packages @earendil-works/pi-coding-agent 0.74.0-0.78.0 and @mariozechner/pi-coding-agent 0.50.0-0.73.1) allows a co-resident attacker on a shared Linux host to pre-stage attacker-controlled extension code in a predictable `os.tmpdir()/pi-extensions` path that pi later loads as the victim user. No public exploit identified at time of analysis, but the issue was reported by CrowdStrike researchers and patched in 0.78.1 of the renamed package. Affects shared dev boxes, CI runners, and HPC login nodes; Windows/macOS default per-user temp directories typically avoid exposure.

Microsoft Apple Crowdstrike +4
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Quanos SCHEMA ST4 on-premises allows low-privileged authenticated Windows users to obtain SYSTEM-level code execution by abusing the Client Update Service. The service exposes a .NET Remoting endpoint over a named pipe with missing authorization checks (CWE-862), letting any local user invoke privileged Update() methods that perform arbitrary file write/delete as NT AUTHORITY\SYSTEM. No public exploit identified at time of analysis, but technical details were disclosed by SEC Consult (SEC-VLab).

Privilege Escalation Authentication Bypass Schema St4
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Quanos SCHEMA ST4 on-premises allows an authenticated local user to gain NT AUTHORITY\SYSTEM by abusing insecure .NET Remoting deserialization in the Client Update Service. The endpoint, reachable through a local named pipe with TypeFilterLevel.Full, accepts attacker-controlled serialized objects and yields arbitrary code execution in the update process context. No public exploit identified at time of analysis, though a SEC-Consult/SEC-VLab advisory documents the issue.

Privilege Escalation Deserialization RCE +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in the ThemeGrill Registration Form for WooCommerce WordPress plugin (versions <= 1.0.9) allows remote attackers to elevate privileges without credentials, potentially gaining administrative control over the WordPress site. With a CVSS of 9.8 and no public exploit identified at time of analysis, the flaw is reported by Patchstack and tagged as a Privilege Escalation issue in the WordPress plugin ecosystem.

Privilege Escalation WordPress Registration Form For Woocommerce
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Falang Multilanguage WordPress plugin (versions <= 1.4.2) allows authenticated low-privileged users (Subscriber role) to elevate their permissions on affected sites. The flaw is rooted in improper privilege management (CWE-266) and carries a CVSS 3.1 score of 8.8 with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Privilege Escalation Falang Multilanguage
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4 and earlier allows low-privileged users - specifically Subscriber-level accounts - to elevate their permissions on the WordPress site. Patchstack catalogued this as an authorization/authentication-bypass class issue (CWE-863). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Authentication Bypass Sms Alert Order Notifications
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Privilege escalation in JetFormBuilder WordPress plugin versions 3.6.1 and earlier allows authenticated subscribers to elevate their role to a higher-privileged level within the WordPress instance. The root cause is incorrect privilege assignment (CWE-266) in the plugin's form processing logic, enabling the lowest authenticated WordPress user role to gain unauthorized administrative or elevated access. No public exploit code or confirmed active exploitation has been identified at time of analysis; CVSS reflects high confidentiality and integrity impact if the high-complexity exploitation conditions are satisfied.

Privilege Escalation Jetformbuilder
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in LoginPress Pro WordPress plugin versions 6.2.2 and earlier allows remote attackers without credentials to elevate privileges on affected WordPress sites. Reported by Patchstack with a CVSS 9.8 critical rating, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and no public exploit identified at time of analysis. Given the plugin's role in customizing WordPress login flows, a successful attacker could obtain administrator-level access to the underlying site.

Privilege Escalation Loginpress Pro
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Privilege escalation in TechSpawn MultiLoca (WooCommerce Multi Locations Inventory Management) plugin versions 4.2.15 and earlier allows authenticated subscriber-level users to elevate their privileges within affected WordPress sites. The flaw, classified under CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.6 score with no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress installations running the plugin for WooCommerce multi-location inventory management.

Privilege Escalation Multiloca
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the Support Ticket Management System WordPress plugin (versions 1.9 and earlier) by Theme Passion allows remote unauthenticated attackers to elevate privileges on affected WordPress sites. With a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and is tracked in the Patchstack database. Successful exploitation likely yields administrator-level access to the WordPress instance, enabling full site takeover.

Privilege Escalation Support Ticket Management System
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Genemy WordPress theme versions 1.6.6 and earlier allows authenticated subscriber-level users to elevate their privileges to higher roles, gaining administrative control over affected WordPress sites. The flaw, reported by Patchstack and tracked under CWE-266 (Incorrect Privilege Assignment), affects all installations using the jthemes Genemy theme up to and including 1.6.6, and no public exploit identified at time of analysis. Given the low attack complexity and minimal authentication requirement (any subscriber account), this represents a high-impact issue for any WordPress site running the affected theme with open user registration.

Privilege Escalation Genemy
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Sonaar WordPress theme through version 4.27.4 allows an authenticated low-privileged user (Subscriber role) to elevate their permissions, gaining administrative control over the WordPress site. The flaw is categorized as CWE-266 (Incorrect Privilege Assignment) and was disclosed via Patchstack; no public exploit identified at time of analysis, but the low attacker prerequisites (any Subscriber account, which is often self-registerable on WordPress sites) make this a meaningful risk for affected installations.

Privilege Escalation Sonaar
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Privilege escalation in the Contest Gallery WordPress plugin (versions ≤ 30.0.2) allows authenticated Contributor/Author-level users to overwrite the stored RegistryUserRole option to 'administrator', causing newly registered Google sign-in accounts to be promoted to Administrator. The flaw was disclosed by Wordfence and stems from a missing capability check in the option-saving handler; no public exploit identified at time of analysis.

Privilege Escalation PHP Google +2
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Google Android's telephony subsystem (PhoneInterfaceManager) allows attackers to disable carrier restrictions without any user interaction or additional execution privileges. The flaw stems from a logic error in the setAllowedCarriers handler and is addressed in the Android Security Bulletin for Android 17. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Google Android's Telecomm component allows applications to initiate unauthorized phone calls by bypassing permission checks, with no user interaction required. The flaw is reported through the Android Security Bulletin for Android 17 and carries a CVSS 4.0 score of 10.0, though no public exploit identified at time of analysis. Despite the network-vector CVSS rating, the description characterizes this as local escalation of privilege, suggesting realistic exploitation requires a malicious app already installed on the device.

Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Google Android's NFC subsystem stems from a use-after-free condition in Nfc::eventCallback() within Nfc.h, triggerable via a race condition without user interaction or additional execution privileges. Affected devices covered by the Android Security Bulletin for Android 17 can have an unprivileged local process win the race and elevate to higher-privileged context. No public exploit identified at time of analysis; the vulnerability was disclosed by Google through the Android security bulletin process.

Privilege Escalation Denial Of Service Race Condition
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Google Android's NFC subsystem allows unprivileged local apps to gain special app access permissions without user interaction, due to an insecure default value in NfcDispatcher.tryStartActivity. Affected Android builds are covered by the Android Security Bulletin (android-17 reference). No public exploit identified at time of analysis; tagged as Privilege Escalation by the Android reporter.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Google Android's NFC subsystem allows an unprivileged local app to spoof NFC events because of a missing permission check, granting capabilities normally reserved for privileged components. No user interaction is required, and no public exploit has been identified at time of analysis, though the issue is tracked in the Android Security Bulletin for Android 17. Despite the CVSS 4.0 vector encoding AV:N, the description clearly describes a local Android attack surface.

Privilege Escalation Authentication Bypass
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Android's SettingsLib component stems from a missing permission check caused by a logic error, allowing on-device attackers to elevate privileges without user interaction or additional execution rights. No public exploit identified at time of analysis, and the issue is addressed in the Android Security Bulletin for Android 17. The CVSS 4.0 vector supplied (AV:N) conflicts with the description's 'local escalation' wording and should be treated as a discrepancy.

Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Google Android's Package Manager allows on-device attackers to bypass the device lock controller due to a missing permission check, with no user interaction required. The flaw, disclosed in the Android Security Bulletin for Android 17, carries a vendor CVSS 4.0 score of 10.0 but is described as a local escalation. No public exploit identified at time of analysis.

Privilege Escalation Authentication Bypass
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Android's PackageInstallerService allows a malicious app to remove a Device Policy Controller (DPC) from a managed device without Device Owner consent, breaking the enterprise management boundary. The flaw stems from a desynchronization between in-memory state and persisted state in createSessionInternal, and no public exploit has been identified at time of analysis. User interaction is required, but no additional execution privileges are needed beyond installing the malicious app.

Privilege Escalation Race Condition
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android 17 stems from improper input validation across multiple code paths that allows a low-privileged app or local user to bypass provisioning controls and gain elevated privileges without user interaction. No public exploit identified at time of analysis, and the EPSS score of 0.13% (3rd percentile) reflects no observed exploitation activity, though the CVSS 7.8 reflects the high impact once preconditions are met.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Tamper Protection bypass in Netskope Client for Windows allows a malicious local administrator to disable or subvert the endpoint security agent by directly manipulating the Windows service object and associated registry keys, which are protected by overly permissive Discretionary Access Control Lists. All Netskope Client versions below R138 on Windows are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the gap is operationally significant in environments where insider threat, post-compromise lateral movement, or separation of duties between IT admins and security tooling are concerns.

Privilege Escalation Microsoft Netskope Client
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)

Google Microsoft Use After Free +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Google Privilege Escalation Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Stale authorization caching in Daytona's preview proxy allows unauthenticated access to sandbox previews for a bounded window after their owner switches visibility from public back to private. The flaw affects versions 0.101.0 through 0.183.0 and is limited to ordinary preview ports - terminal, toolbox, and recording-dashboard ports remained protected. No public exploit identified at time of analysis, and the GitHub advisory tags suggesting RCE/Privilege Escalation contradict the advisory's own impact statement, which explicitly rules both out.

Privilege Escalation RCE
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated privilege escalation in the Support Board WordPress plugin (versions prior to 3.8.9) allows remote attackers with no credentials to elevate privileges on affected WordPress sites. The flaw was reported by Patchstack and is tied to CWE-266 (Incorrect Privilege Assignment), with a critical CVSS 3.1 base score of 9.8 reflecting network-reachable, low-complexity exploitation. No public exploit identified at time of analysis, but the unauthenticated nature and plugin's customer-support role make this a high-priority patch for any WordPress site running it.

Privilege Escalation Support Board
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by an authenticated high-privileged attacker over HTTP. Successful exploitation results in takeover of the HR Intelligence application with confidentiality, integrity, and availability impact (CVSS 3.1 base 7.2). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Oracle Hr Intelligence Privilege Escalation
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by a low-privileged remote attacker leveraging HTTP. The flaw yields full confidentiality, integrity, and availability impact (CVSS 7.5) but is rated high attack complexity, so reliable exploitation is non-trivial. No public exploit identified at time of analysis, and the issue is not listed on CISA KEV.

Oracle Oracle Subledger Accounting Privilege Escalation
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Full takeover of Oracle HRMS (UK) - the UK Payroll component of Oracle E-Business Suite versions 12.2.3 through 12.2.15 - is possible by an already-authenticated, highly privileged attacker over HTTP, leading to complete loss of confidentiality, integrity, and availability of the HRMS application. Oracle classifies the issue as easily exploitable but the PR:H requirement narrows the realistic attacker pool to insiders and compromised admin accounts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Oracle Hrms Uk Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Takeover of Oracle Process Manufacturing Process Planning (versions 12.2.3 through 12.2.15) is achievable by a low-privileged remote attacker over HTTP through the Internal Operations component of Oracle E-Business Suite. The flaw carries a CVSS 3.1 base score of 8.8 with full confidentiality, integrity, and availability impact, and Oracle has classified it as easily exploitable. There is no public exploit identified at time of analysis, but the low complexity and minimal authentication threshold make it a high-priority patching target for any EBS deployment.

Oracle Oracle Process Manufacturing Process Planning Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, yielding full compromise of confidentiality, integrity, and availability (CVSS 8.8). The advisory was published in Oracle's June 2026 Critical Patch Update and no public exploit identified at time of analysis. Because the EBS Cost Management module is commonly reachable from internal corporate networks by any authenticated EBS user, the low privilege requirement (PR:L) makes this a credible insider/post-foothold escalation path rather than an unauthenticated internet risk.

Oracle Oracle Cost Management Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover of Oracle iSetup (component of Oracle E-Business Suite 12.2.3 through 12.2.15) is achievable by a low-privileged authenticated attacker reaching the General Ledger Update Transform / Reports component over HTTP. The flaw is rated CVSS 8.8 with full confidentiality, integrity, and availability impact, and no public exploit has been identified at time of analysis. Oracle published the fix in the June 2026 Critical Patch Update.

Oracle Oracle Isetup Privilege Escalation
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Takeover of Oracle Complex Maintenance, Repair and Overhaul (CMRO) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the Internal Operations component. Oracle's June 2026 Critical Patch Update advisory documents the issue with a CVSS 3.1 base score of 7.5 and high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the vulnerability is rated difficult to exploit due to high attack complexity.

Oracle Oracle Complex Maintenance Repair And Overhaul Privilege Escalation
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Local privilege abuse in Oracle Solaris 11.4 allows a low-privileged authenticated user with logon access to the host to read sensitive filesystem data and trigger a complete denial of service of the operating system. Oracle's June 2026 Critical Patch Update lists this as easily exploitable through the Filesystem component, with a CVSS 3.1 base score of 7.1; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Authentication Bypass Oracle Oracle Solaris +1
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.

Oracle Jd Edwards Enterpriseone General Ledger Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover of the Siebel CRM Integration component (EAI) in Oracle Siebel CRM versions 17.0 through 26.5 allows a low-privileged remote attacker with HTTP network access to fully compromise the integration component, impacting confidentiality, integrity, and availability. Oracle rates this 'easily exploitable' with CVSS 3.1 score 8.8, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Oracle Siebel Crm Integration Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.

Authentication Bypass Oracle Oracle Vm Virtualbox +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Oracle Vm Virtualbox Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Extensibility Framework component, enabling an authenticated high-privilege attacker with HTTPS network access to fully compromise confidentiality, integrity, and availability of the management platform. The vendor (Oracle) advisory rates the issue at CVSS 3.1 7.2, and no public exploit identified at time of analysis, but successful exploitation yields complete product takeover. EPSS and CISA KEV signals are not provided in the input data.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata Plugin component, allowing a low-privileged remote attacker over HTTPS to fully compromise the platform with a scope change that impacts additional products. The CVSS 3.1 base score of 9.9 reflects the broad confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Cross-tenant data compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a low-privileged authenticated attacker to coerce another user into an interaction that yields unauthorized read, create, modify, or delete access to all WebCenter Content data, with a scope change extending impact to additional Oracle Fusion Middleware products. Disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.7; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Webcenter Content +1
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation to full takeover in Oracle Identity Manager Connector (Fusion Middleware) allows a low-privileged remote attacker with SSH network access to compromise the Generic Unix Connector and pivot into additional Fusion Middleware components via a CVSS scope change. Versions 12.2.1.4.0 and 14.1.2.1.0 are affected, with Oracle rating the issue 9.9 due to high confidentiality, integrity, and availability impact across product boundaries. No public exploit identified at time of analysis, but the AV:N/AC:L profile and SSH-reachable attack surface make this a high-priority Oracle CPU item.

Oracle Identity Manager Connector Privilege Escalation
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Full server takeover is possible in Oracle WebLogic Server's Console component, affecting versions 14.1.2.0.0 and 15.1.1.0.0 via HTTP over a network. Exploitation requires a high-privileged attacker and high attack complexity, limiting the realistic threat surface to scenarios where administrative credentials are already compromised or an insider threat is present. No public exploit code and no CISA KEV listing have been identified at the time of analysis; this was disclosed as part of Oracle's Critical Patch Update (CPU) for June 2026.

Oracle Weblogic Server Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, where an unauthenticated attacker with logon access to the underlying host can take over the PeopleTools instance. Oracle rates this 8.4 CVSS with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. The local attack vector keeps remote internet-based mass exploitation unlikely, but any user who can log on to the PeopleTools server should be treated as a critical risk.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow Memory Corruption
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In Write of msg_to_host_buffer.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow
NVD
Prev Page 3 of 148 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy