Skip to main content

Privilege Escalation

13282 CVEs technique

Monthly

CVE-2026-35288 HIGH This Week

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-35272 HIGH This Week

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, where an unauthenticated attacker with logon access to the underlying host can take over the PeopleTools instance. Oracle rates this 8.4 CVSS with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. The local attack vector keeps remote internet-based mass exploitation unlikely, but any user who can log on to the PeopleTools server should be treated as a critical risk.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-0161 HIGH This Week

In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow Memory Corruption
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0153 HIGH This Week

In Write of msg_to_host_buffer.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0152 HIGH This Week

In OSMMapPMRGeneric of pmr_os.c, there is a possible way to leverage a system call to system call to maliciously expand the VMA out of bounds due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0150 Awaiting Data

In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0143 Awaiting Data

In lwis_device_external_event_emit of lwis_event.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow Denial Of Service
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0138 Awaiting Data

In lwis_io_buffer_write of lwis_io_buffer.c, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0137 Awaiting Data

In edgetpu_sync_fence_group_shutdown() of edgetpu-dmabuf.c, there is a possible elevation of privilege due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Denial Of Service
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0133 Awaiting Data

In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Google
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0131 Awaiting Data

In RtpPacket::decodePacket, there is a possible out of bounds access due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Privilege Escalation
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-0125 Awaiting Data

In multiple functions of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Denial Of Service
NVD
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-53862 npm LOW PATCH GHSA Monitor

Bootstrap token replay in OpenClaw before version 2026.5.12 permits callers holding a pending bootstrap token to resubmit that token with a broader scope than originally requested, bypassing intended pairing authority limits. The flaw, rooted in incorrect privilege assignment (CWE-266), exploits the gap between token issuance and administrative approval to escalate pairing access. No public exploit code has been identified and the vulnerability carries a CVSS 4.0 score of 2.3, reflecting significant mitigating factors including high attack complexity, a required target precondition, and passive user interaction - making this a low real-world priority outside environments with high-value pairing workflows.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-53854 npm MEDIUM POC PATCH GHSA This Month

Privilege escalation in OpenClaw before 2026.4.25 allows authenticated low-privileged users to inherit wildcard ownerAllowFrom authorization state across channel boundaries, enabling execution of owner-level commands outside their intended channel scope on both internal and webchat command paths. The flaw (CWE-863) produces high integrity impact (VI:H per CVSS 4.0) without confidentiality or availability consequences, as the attacker gains unauthorized administrative command execution rather than data access. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 6.0 reflects meaningful but condition-dependent risk.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-53849 npm HIGH POC PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.7 allows any user with a Discord account to assume the identity of a privileged Discord user authorized in the agent's allowFrom policy by simply renaming their account, because the access-control check matches on mutable display names rather than immutable Discord user IDs (snowflakes). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but exploitation is trivial for anyone who can read the target policy.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-53847 npm MEDIUM PATCH GHSA This Month

Privilege escalation in OpenClaw before 2026.5.6 allows authenticated Gateway operators holding operator.write access to modify global configuration that should be restricted exclusively to operator.admin privileges. The root cause (CWE-266: Incorrect Privilege Assignment) lies in insufficient scope validation within the Active Memory write scope, which fails to enforce the boundary between the write and admin privilege tiers. No public exploit has been identified at time of analysis; however, the network-accessible attack vector (AV:N, PR:L) means any authenticated operator-level account across the deployment is a viable exploitation path with low attack complexity.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2024-38487 HIGH PATCH This Week

api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions. Rated high severity (CVSS 7.0). This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Emc Vxrail Appliance
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-12003 MEDIUM PATCH This Month

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.

Python Privilege Escalation Microsoft Cpython
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-12313 MEDIUM PATCH This Month

Sandbox escape with information disclosure in Mozilla Firefox's Process Sandboxing component allows a remote attacker to break out of the browser sandbox and read sensitive data from the host environment when a user visits attacker-controlled content. Affected versions span all Firefox releases prior to 152 and all Firefox ESR releases prior to 140.12, patched by Mozilla in mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis and SSVC signals no current exploitation activity, keeping real-world urgency at moderate priority despite the scope-changing nature of the flaw.

Privilege Escalation Mozilla Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-12289 HIGH PATCH This Week

Privilege escalation in the WebRender graphics component of Mozilla Firefox enables remote attackers to elevate privileges within the browser sandbox when a victim loads malicious web content. Mozilla has patched the issue in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, and no public exploit has been identified at time of analysis.

Privilege Escalation Mozilla
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-8176 HIGH This Week

Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows an authenticated user with Agent-level access or higher to chain three independent flaws and overwrite a WordPress Administrator's password without invoking any Administrator-only API. Wordfence-reported flaw with no public exploit identified at time of analysis, though source code locations of all three vulnerable code paths are referenced in the disclosure.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2025-9912 MEDIUM PATCH This Month

Local privilege escalation in Nokia SR Linux (multiple release branches prior to 23.10.8, 24.10.6, and 25.7.2) allows an authenticated local user to execute arbitrary commands with superuser (root) privilege. Rooted in CWE-269 (Improper Privilege Management), this flaw enables a user who has already obtained a local session on the network OS to break out of their assigned privilege boundary and gain full control of the system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, Nokia has confirmed a patch and self-reported the issue.

Privilege Escalation Nokia Nokia Sr Linux
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-10262 MEDIUM PATCH This Month

Local privilege escalation in Nokia SR Linux affects multiple release trains and allows an already-authenticated user holding elevated local privileges to execute arbitrary commands as superuser by exploiting unsanitized format string handling (CWE-134). The attack vector is local and requires high prior privileges (CVSS AV:L/PR:H), significantly limiting the exposure surface compared to a network-exploitable flaw. No public exploit code and no CISA KEV listing have been identified at time of analysis; Nokia has released patches across all affected branch lines.

Privilege Escalation Nokia Sr Linux
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-50255 MEDIUM This Month

Privilege escalation to SYSTEM in Sony Optical Disc Archive Software for Windows 5.5.3 and earlier arises from incorrect default filesystem permissions (CWE-276), enabling a local low-privileged attacker to plant or replace executable content that the software later runs with SYSTEM-level authority. Reported by JPCERT/CC and tracked under JVN#79926428, the vulnerability is classified as local with passive user interaction required (CVSS 4.0 AV:L/UI:P/AT:P), limiting opportunistic mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Privilege Escalation Microsoft RCE Optical Disc Archive Software For Windows
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
CVE-2026-5064 HIGH PATCH This Week

Local privilege escalation and denial of service in HP One Agent software on HP PC products allow authenticated low-privileged users to gain elevated rights or disrupt the agent. HP has acknowledged the issue and is releasing software updates as mitigation. No public exploit identified at time of analysis, and the flaw is not listed on CISA KEV.

Privilege Escalation HP Denial Of Service Hp One Agent Software
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-49780 HIGH This Week

Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer accounts to elevate their permissions within the multivendor marketplace, potentially gaining vendor or administrative capabilities. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Dokan
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-49083 HIGH This Week

Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low-privileged contributor accounts to elevate to higher-privileged roles, according to a Patchstack advisory. CVSS 3.1 scores this 7.5 (High) with full confidentiality, integrity, and availability impact, though high attack complexity and required low privileges constrain trivial exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Latepoint
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-49063 HIGH This Week

Unauthenticated privilege escalation in the Listdom WordPress plugin versions 5.5.0 and earlier allows remote attackers to elevate privileges without any authentication or user interaction. The flaw is tracked under CWE-266 (Incorrect Privilege Assignment) and was reported by Patchstack; no public exploit identified at time of analysis. Affected sites running this Webilia-developed directory listing plugin face risk of unauthorized account or capability elevation through exposed plugin endpoints.

Privilege Escalation Listdom
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-48889 HIGH This Week

Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Amelia
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-39587 HIGH This Week

Unauthenticated privilege escalation in the WP BASE Booking WordPress plugin (versions through 5.9.0) allows remote attackers to elevate privileges without credentials, with potential to fully compromise affected WordPress sites. The flaw is rated CVSS 8.1 (high) with no public exploit identified at time of analysis, but the unauthenticated nature and high impact on confidentiality, integrity, and availability make it a notable risk for sites running the plugin.

Privilege Escalation Wp Base Booking
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39583 CRITICAL Act Now

Unauthenticated privilege escalation in the Datalogics Ecommerce Delivery WordPress plugin (versions ≤ 2.6.62) allows remote attackers to gain elevated privileges on affected WordPress sites without any credentials or user interaction. The flaw, tracked by Patchstack and assigned a CVSS 9.8, enables full compromise of site integrity and confidentiality; no public exploit identified at time of analysis, but the network-reachable, no-auth nature makes opportunistic exploitation likely once details circulate.

Privilege Escalation Datalogics Ecommerce Delivery
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-39579 HIGH This Week

Privilege escalation in the B Blocks WordPress plugin through version 2.0.31 allows authenticated users with Contributor-level access to elevate their privileges on the affected site. Reported by Patchstack and tracked as EUVD-2026-36965, the issue carries a CVSS 3.1 score of 8.8 reflecting full confidentiality, integrity, and availability impact once a low-privileged WordPress account is obtained. No public exploit identified at time of analysis, but the low attack complexity and lack of required user interaction make weaponization straightforward once an exploitation primitive is published.

Privilege Escalation B Blocks
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-39470 HIGH PATCH This Week

Privilege escalation in the WooCommerce Cart Abandonment Recovery WordPress plugin before version 2.1.0 allows an authenticated shop manager to elevate privileges beyond their intended role on affected WordPress sites. The flaw, tracked as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.2 (High) score and has a vendor-released patch in 2.1.0, with no public exploit identified at time of analysis.

Privilege Escalation WordPress Woocommerce Cart Abandonment Recovery
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-34901 CRITICAL Act Now

Unauthenticated privilege escalation in iControlWP WordPress plugin versions 5.5.3 and earlier allows remote attackers to gain elevated privileges on affected WordPress sites without authentication. Reported by Patchstack and rated CVSS 9.8, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and impacts the worpit-admin-dashboard-plugin distribution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Icontrolwp
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-27407 HIGH This Week

Privilege escalation in the AI Engine WordPress plugin (Meow Apps) through version 3.4.9 allows authenticated users with Editor-level access to elevate their privileges to Administrator. CVSS rates this 7.2 (High) given high privileges required but full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Privilege Escalation Ai Engine
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-11931 MEDIUM PATCH This Month

Authentication token cache file exposure in Kiro IDE on macOS and Linux allows any local user to read credentials belonging to other users due to world-readable file permissions (0644) instead of the security-appropriate owner-only permissions (0600). All versions before 0.11.133 are affected on UNIX-based platforms; the vulnerability is confirmed by AWS via security bulletin 2026-045 and has been assigned CWE-276 (Incorrect Default Permissions). No public exploit code has been identified at time of analysis, but exploitation requires no technical sophistication - only filesystem read access on a shared system.

Privilege Escalation Apple Kiro Ide
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-54267 npm HIGH PATCH GHSA This Week

DOM Clobbering and HTTP Transfer Cache poisoning in Angular's Client Hydration (provideClientHydration) allows remote attackers to inject arbitrary JSON into the TransferState by hijacking the predictable 'ng-state' element ID. Affected versions are @angular/core 20.x through 22.x prior to the fixes, and the flaw can be leveraged for DOM-based XSS, privilege escalation, or UI hijacking when applications bind untrusted input to element id attributes. No public exploit identified at time of analysis, but a vendor patch and detailed advisory (GHSA-rgjc-h3x7-9mwg) are available.

Privilege Escalation XSS
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-49111 HIGH This Week

Privilege escalation in the ThemeGrill Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows authenticated low-privileged users to elevate their permissions to higher roles, including administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 8.8 with high confidentiality, integrity, and availability impact across the WordPress instance. No public exploit identified at time of analysis, and the Patchstack disclosure is the sole reference currently available.

Privilege Escalation Masteriyo Lms
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2016-20084 MEDIUM POC This Month

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS Privilege Escalation Booking Calendar Contact
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2016-20070 MEDIUM POC This Month

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS Privilege Escalation Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-50100 HIGH This Week

Local privilege escalation in multiple Ricoh and Konica Minolta printer drivers on Windows hosts allows an authenticated low-privileged user to gain higher privileges by supplying a specially crafted driver component. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), and at time of analysis no public exploit identified at time of analysis. CVSS 4.0 of 8.5 reflects high confidentiality, integrity, and availability impact despite requiring local access.

Privilege Escalation Multiple Printer Drivers
NVD
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-39118 HIGH This Week

Local privilege escalation in Iru, Inc Kandji Agent versions prior to 4.7.5(5374) allows a local attacker to invoke restricted agent functionality by exploiting a client-side validation gap. The flaw maps to CWE-269 (Improper Privilege Management) and carries a CVSS 8.4 rating due to high impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS is low at 0.14%.

Privilege Escalation N A
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-36213 HIGH POC This Week

Local privilege escalation in Microvirt MEmu Android Emulator 9.2.7.0 allows a low-privileged local user to abuse the MemuService.exe component to gain elevated rights on the host Windows system. Mapped to CWE-269 (Improper Privilege Management), with no public exploit identified at time of analysis and an EPSS score of 0.21% indicating low predicted exploitation likelihood. Researcher PoC repository exists on GitHub (sec-zone/CVE-2026-36213) but active exploitation has not been reported.

Privilege Escalation Google N A
NVD GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-11769 Go MEDIUM PATCH GHSA This Month

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. No public exploit is identified at time of analysis, but successful exploitation yields cluster-level privilege escalation, reflected in the vendor-assigned CVSS 4.0 subsequent-system impact of SC:H/SI:H.

Grafana Path Traversal Kubernetes Privilege Escalation Grafana Operator
NVD VulDB GitHub
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-53823 npm HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.3 allows attackers with access to a Slack account to spoof identity by changing their mutable Slack display name to match an allowFrom policy entry, gaining agent access intended for another user. The root cause is authentication binding to a mutable identifier (CWE-290) rather than a stable Slack user ID. No public exploit identified at time of analysis, though an upstream advisory (GHSA-c29c-2q9c-pc86) and VulnCheck writeup describe the flaw in detail.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-54358 HIGH PATCH This Week

Privilege escalation in MISP (Malware Information Sharing Platform) allows an authenticated organization administrator to target site administrator accounts within their own organization via the administrative email functionality, enabling privileged actions such as triggering a password-reset workflow against a higher-privileged user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. Successful exploitation results in full takeover of the targeted site admin account and complete compromise of the MISP instance.

Privilege Escalation Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-54055 MEDIUM PATCH This Month

Arbitrary file write in kitty terminal versions prior to 0.47.2 allows a child process running inside a kitty session to redirect writes to attacker-controlled filesystem paths. The root cause is a missing O_NOFOLLOW flag in the os.open() call within kitty's file transmission protocol: between the initial symlink validation stat-check and the actual file open, an attacker can insert a symlink, causing the write to follow it to an arbitrary destination - a classic TOCTOU race. No public exploit code exists and EPSS sits at 0.01% (1st percentile), indicating no observed exploitation; however, successful exploitation enables high-integrity-impact file overwrites that can facilitate local privilege escalation. Version 0.47.2 resolves the issue.

Privilege Escalation Kitty Suse
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-53999 Go HIGH PATCH GHSA This Week

Cross-tenant container deletion in the Radius Kubernetes controller (versions <= v0.57.1) allows a tenant with Deployment annotation-edit rights to coerce the high-privilege controller into deleting another tenant's container resource by injecting a forged radapp.io/status JSON blob. The flaw is a classic Confused Deputy (CWE-441/CWE-20) that yields an availability-only impact, is most severe in multi-tenant installs, and currently has publicly available exploit code via the GHSA advisory but no public exploit identified at time of analysis in CISA KEV.

Privilege Escalation Nginx Kubernetes
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-53408 HIGH PATCH This Week

Privilege escalation in Zoom Workplace mobile clients (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler for a custom URL scheme, allowing a remote attacker to elevate privileges over network access. The CVSS 8.1 rating reflects high confidentiality and integrity impact with low-complexity exploitation, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Google Privilege Escalation Apple Zoom Workplace
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-53407 CRITICAL PATCH Act Now

Privilege escalation in the Zoom Workplace mobile app (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler that processes the app's custom URL scheme, allowing an unauthenticated actor to elevate privileges via network access. Zoom self-reported and patched the flaw, and no public exploit identified at time of analysis; EPSS remains very low (0.04%, 12th percentile) and CISA SSVC marks exploitation as none, indicating no observed activity despite the 9.8 CVSS score.

Google Privilege Escalation Apple Zoom Workplace
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-53406 HIGH PATCH This Week

Local privilege escalation in Remote Control for Zoom Contact Center for Windows prior to version 7.0.0 allows an authenticated user with local access to elevate privileges due to insufficient verification of data authenticity. The flaw, reported by Zoom and tracked in bulletin ZSB-26009, carries a CVSS 3.1 base score of 7.8 (High) with no public exploit identified at time of analysis. Exploitation requires existing local authenticated access, which limits opportunistic abuse but makes this a strong post-compromise pivot on workstations running the Zoom Contact Center remote control component.

Privilege Escalation Microsoft Remote Control For Zoom Contact Center
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-47369 CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on affected UniFi OS devices and instances due to improper input validation (CWE-20). The CVSS 9.9 score reflects a scope-changing impact spanning UniFi Dream Machine, UniFi Express, UDR, UCG, UNVR, UNAS, and other UniFi OS Server platforms. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Ubiquiti Unifi Os Server Express Udm +29
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-47366 HIGH This Week

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions beyond their authorized scope through the Administration Control Panel (ACP), enabling elevation to full administrative control over the forum. The flaw stems from improper verification of access permissions when permissions are modified via the ACP, and no public exploit identified at time of analysis. With CVSS 7.2 (PR:H) and no KEV listing, this is a meaningful but not panic-level risk that primarily threatens multi-admin phpBB deployments where administrative duties are intentionally segmented.

Authentication Bypass Privilege Escalation Phpbb
NVD
CVSS 3.0
7.2
EPSS
0.0%
CVE-2026-49060 CRITICAL Act Now

Privilege escalation in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allows remote unauthenticated attackers to elevate privileges on affected sites due to incorrect privilege assignment (CWE-266). With a CVSS 3.1 score of 9.8 and Patchstack-reported network-exploitable characteristics, this issue can lead to full compromise of WooCommerce-backed WordPress stores; no public exploit identified at time of analysis.

Privilege Escalation WordPress Hippoo Mobile App For Woocommerce
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-12027 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Headless component sandbox via a crafted HTML page. The flaw is rated High severity by Chromium and carries CVSS 9.6 due to scope change and user interaction, though EPSS remains very low (0.03%) and there is no public exploit identified at time of analysis. A vendor patch is available in the stable channel update published June 2026.

Privilege Escalation Google Red Hat
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-12018 HIGH PATCH This Week

Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.

Privilege Escalation Microsoft Google
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-53814 npm HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.20 allows attackers holding a valid hook token to invoke owner-only MCP tools through the /hooks/agent endpoint, because hook-triggered agent runs are incorrectly granted owner-scoped MCP loopback authority. Successful exploitation lets a low-privileged hook caller execute privileged actions such as modifying persistent cron state, with no public exploit identified at time of analysis.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-53811 npm HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.7 allows authenticated Matrix users to impersonate other identities by manipulating their mutable display name to match policy entries in the allowFrom feature. The flaw stems from authentication relying on a user-controlled attribute (CWE-290), letting attackers receive agent access intended for another Matrix identity. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-45176 HIGH PATCH This Week

Local privilege escalation in CyberArk (Idira) Endpoint Privilege Manager Agent versions prior to 26.5 allows low-privileged users on Windows, macOS, and Linux endpoints to abuse improper access controls in high-privileged agent components and execute actions with elevated privileges. The flaw was reported by Palo Alto Networks (CyberArk's parent) and addressed in agent version 26.5.0, with no public exploit identified at time of analysis. Because EPM is itself a privilege-management control, a bypass directly undermines the security posture of every endpoint where it is deployed.

Privilege Escalation Idira Endpoint Privilege Manager
NVD VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2025-31272 HIGH PATCH This Week

Privilege escalation in Apple macOS Sequoia prior to 15.4 allows a locally executing application to bypass launch constraint protections and run malicious code with elevated privileges. The flaw, reported by Apple and tracked as EUVD-2025-210116, carries CVSS 7.8 (local, low complexity, low privileges) and CWE-269 improper privilege management, with no public exploit identified at time of analysis and CISA SSVC marking exploitation status as 'none'.

Privilege Escalation Apple
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-10847 HIGH This Week

Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.

Checkpoint Privilege Escalation Microsoft RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-47781 PyPI HIGH POC PATCH GHSA This Week

Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.

Python Privilege Escalation Code Injection RCE Suse
NVD GitHub VulDB
EPSS
0.0%
CVE-2026-0272 MEDIUM PATCH This Month

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an authenticated CLI administrator to perform operations at the root OS level, bypassing intended privilege boundaries through a missing authorization control (CWE-862). The risk is substantially gated by the requirement for existing administrative CLI access (CVSS PR:H), making insider threats and compromised admin credentials the primary real-world attack paths. No public exploits or confirmed active exploitation have been identified at time of analysis, and the vendor's own E:U supplemental metric reinforces the low exploitation urgency - though root-level OS access to a firewall represents a severe impact if the prerequisite is met.

Privilege Escalation Authentication Bypass Paloalto Cloud Ngfw Pan Os +1
NVD VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-0271 MEDIUM PATCH This Month

Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metric E:U (Exploitation Unlikely) further tempers immediate mass-exploitation risk, though the complete local system impact warrants timely patching for multi-user Linux environments.

Microsoft Apple Paloalto Privilege Escalation Google +1
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-11626 MEDIUM This Month

Local privilege escalation in Broadcom's Symantec Endpoint Protection CleanWipe Removal Tool for macOS, versions prior to 16.0.0.65, allows a local attacker to gain administrative control of the affected system. The vulnerability is rooted in CWE-250 (Execution with Unnecessary Privileges), a class where a process operates with more permissions than its function requires, creating an elevation pathway. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog; however, the full confidentiality, integrity, and availability impact on the vulnerable component (VC:H/VI:H/VA:H) underscores the severity of a successful exploitation.

Apple Privilege Escalation
NVD VulDB
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-50570 HIGH PATCH This Week

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows a tenant with permission to create Function or Environment CRDs to obtain CAP_SYS_TIME inside function/runtime containers by bypassing an incomplete capability denylist in the ValidatePodSpecSafety admission webhook. The denylist only blocked six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE) and omitted CAP_SYS_TIME and others, letting tenant-controlled code modify the container's system clock. No public exploit identified at time of analysis, but the upstream patch and CRD diff are publicly visible in fission/fission PR #3465.

Privilege Escalation Kubernetes
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-50566 Go CRITICAL POC PATCH GHSA Act Now

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RBAC to define Environment custom resources with privileged, allowPrivilegeEscalation, or dangerous Linux capabilities on the bare Runtime.Container or Builder.Container fields, which bypass the existing PodSpec safety validator and get scheduled under the executor's high-privilege service account. Successful abuse enables container-sandbox escape, host filesystem and network access, and node- or cluster-level compromise. No public exploit identified at time of analysis, but the upstream fix is published in v1.24.0.

Privilege Escalation Kubernetes Fission
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-50565 Go MEDIUM PATCH GHSA This Month

Kubernetes service account token exposure in Fission serverless framework prior to v1.24.0 allows authenticated high-privilege users to escalate cluster privileges via a malicious builder image. Builder pods were created with ServiceAccountName set to fission-builder but without AutomountServiceAccountToken: false, causing the Kubernetes kubelet to automatically inject the fission-builder service account credential into every container in the pod - including untrusted, user-supplied builder images. An attacker with sufficient Fission privileges to register or modify builder environments can exploit this to read the mounted token and authenticate directly to the Kubernetes API using the fission-builder service account's RBAC permissions. No public exploit identified at time of analysis; vendor-released patch is available in v1.24.0.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-50564 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Environment CRD write access to escape the container sandbox and reach node- or cluster-level privileges by setting unfiltered fields in spec.runtime.podSpec or spec.builder.podSpec. Because the fission-executor and fission-builder service accounts schedule pods on the tenant's behalf, attacker-controlled values for hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName are merged into pod specs without validation. No public exploit identified at time of analysis, but the patch's hardening scope (also closing GHSA-wmgg-3p4h-48x7 and GHSA-v455-mv2v-5g92) shows the issue is broader than a single field.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-50563 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Function CRUD permissions to supply an arbitrary Function.spec.podspec that the Container Executor merges into the executor-built podspec, resulting in a Deployment whose pods can break the container sandbox and reach node or cluster level. No public exploit identified at time of analysis, but the upstream fix (PR #3391) explicitly enumerates host namespaces, privileged contexts, hostPath mounts, service account overrides, and dangerous Linux capabilities as the abused fields. CVSS 9.9 with scope change (S:C) reflects that a low-privilege tenant can pivot beyond its own RBAC boundary.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-50545 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environment custom resources to abuse unvalidated podSpec passthrough fields (Environment.spec.runtime.podSpec and spec.builder.podSpec), causing MergePodSpec to propagate dangerous fields - notably AutomountServiceAccountToken - into the generated builder/runtime pods. Because the fission-builder ServiceAccount token then becomes accessible from a user-supplied container, an attacker can pivot from a Fission tenant into broader Kubernetes cluster privileges (CVSS 9.9, Scope:Changed). No public exploit identified at time of analysis.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-47342 HIGH PATCH This Week

Privilege escalation in Apache OFBiz versions prior to 24.09.07 allows a low-privileged authenticated user to elevate their permissions to a higher-privileged role, leading to full compromise of confidentiality, integrity, and availability of the ERP system. The flaw is rooted in improper authorization (CWE-285) and is exploitable remotely over the network with low complexity once valid low-tier credentials are held. No public exploit identified at time of analysis, and EPSS scoring (0.02%) plus CISA SSVC (Exploitation: none) suggest no observed exploitation activity yet.

Privilege Escalation Apache Authentication Bypass Ofbiz
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-48036 npm HIGH PATCH GHSA This Week

Drift-detection logic flaw in the @hulumi/drift npm package (versions < 1.4.0) causes the verdict classifier to conflate adapter failure with a clean result, producing cached false-negative 'None / none' verdicts for up to six hours and false-positive incident-severity 'Mixed / high' or 'ConsoleBreakGlass / high' verdicts based on probe liveness rather than CloudTrail evidence. Consumers running drift detection in CI or cron pipelines could silently miss real console-break-glass mutations or be paged on routine provider-version churn. No public exploit identified at time of analysis; the issue is a CWE-755 improper-exception-handling defect rather than a remote attack primitive.

Privilege Escalation
NVD GitHub
EPSS
0.0%
CVE-2026-24067 HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users on the host to gain root-level capabilities by abusing a TOCTOU race in the privileged helper's XPC client validation. The com.slatedigital.connect.privileged.helper.tool2 service identifies callers by PID and then queries code-signing information, but PID reuse lets an attacker substitute a trusted process between check and use. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the technical pattern is well-known on macOS and a SEC Consult advisory describes the flaw in detail.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-24066 HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users to execute commands as root by connecting to the privileged XPC helper service with a self-signed certificate whose subject OU matches the expected value. The flaw stems from improper certificate validation (CWE-296) in the helper's client authorization logic, which fails to verify the certificate chains to a trusted code-signing authority. No public exploit is identified in CISA KEV at time of analysis, and EPSS reflects very low (0.01%) near-term exploitation probability, but a detailed vendor-lab advisory is publicly available.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-6254 CRITICAL Act Now

Unauthenticated privilege escalation in the Doctreat Core WordPress plugin (versions ≤ 1.6.8) allows remote attackers to register accounts directly as administrators by abusing insufficient role validation in the doctreat_process_registration() function. With a CVSS of 9.8 and trivial exploitability (AV:N/AC:L/PR:N/UI:N), full site takeover is possible without credentials, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV.

Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-11837 HIGH This Week

Local privilege escalation in the ansible.posix collection's authorized_key module allows an unprivileged local user to redirect root-owned file ownership changes to arbitrary system paths via symlink attacks in ~/.ssh. The module's keyfile() function calls os.chown() instead of os.lchown() and omits O_NOFOLLOW when opening files, so a pre-staged symlink is followed during privileged execution. No public exploit identified at time of analysis, but the technique is a well-understood TOCTOU/symlink class with a moderate-to-high CVSS (7.3).

Privilege Escalation
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-22926 HIGH This Week

Local privilege escalation in Omnissa Workspace ONE Assist for macOS allows an authenticated local user with low privileges to escalate to higher privileges through a path traversal weakness (CWE-22). The flaw carries a CVSS 7.8 (High) rating with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The vulnerability is tracked under Omnissa advisory OMSA-2026-0001 and is specific to the macOS build of the Assist remote-support agent.

Apple Path Traversal Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24065 HIGH This Week

Local privilege escalation in Waves Central for macOS (13.0.9 through 16.5.5) allows an unprivileged local user to gain root code execution by exploiting a time-of-check/time-of-use race in the privileged helper's XPC client validation. The helper trusts the connecting process's PID to verify code-signing identity, but PID reuse permits an attacker-controlled process to masquerade as a legitimate Waves client. SSVC reports a public proof-of-concept exists; the issue is not listed in CISA KEV.

Apple Privilege Escalation RCE
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-24064 HIGH This Week

Local privilege escalation in Waves Central for macOS versions 13.0.9 through 16.5.5 allows an unprivileged user to gain root code execution by injecting a malicious dylib into a trusted XPC client process via DYLD_INSERT_LIBRARIES. The injected code then abuses the product's privileged helper service to perform operations as root. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), consistent with a local-only macOS desktop attack surface.

Apple RCE Privilege Escalation Waves Central
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46319 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's net/sched act_ct traffic control action stems from a use-after-free in tcf_ct_flow_table_get(), where rhashtable_lookup_fast() releases the RCU read lock before refcount_inc_not_zero() can pin the returned ct_ft object. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but Trend Micro ZDI provided detailed root-cause analysis and stable-tree patches are merged across 5.10 through 6.18 lines. Successful exploitation grants attacker-controlled kernel memory access enabling privilege escalation to root.

Trend Micro Linux Privilege Escalation Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-49741 PHP HIGH PATCH GHSA This Week

SQL injection and privilege escalation in TYPO3 CMS 14.0.0 through 14.3.3 allow authenticated backend users holding write permissions on the form_definition table to bypass the Form Framework's persistence validation by submitting form configurations directly through DataHandler. Successful exploitation re-opens the attack class originally fixed in TYPO3-CORE-SA-2018-003, enabling injection of arbitrary form configurations that yield SQLi and elevation of privileges. No public exploit identified at time of analysis; not listed in CISA KEV.

Privilege Escalation SQLi
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-46748 HIGH CISA This Week

Local privilege escalation in Siemens SINEC INS (versions prior to V1.0 SP2 Update 6) stems from a binary shipped with the Linux cap_dac_override capability, which bypasses filesystem discretionary access control checks. An authenticated local attacker can leverage this overly broad capability to read or modify any file on the system, ultimately obtaining root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Sinec Ins
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-11616 HIGH This Week

Privilege escalation in the Events Calendar for GeoDirectory WordPress plugin (versions up to and including 2.3.28) allows authenticated Subscriber-level users to elevate to Administrator by abusing the ajax_ayi_action() AJAX handler, which writes attacker-controlled POST parameters directly into the wp_capabilities user meta key. The flaw stems from insufficient input filtering (strip_tags/esc_sql with no allow-list) on the type and postid fields before they reach update_user_meta(), enabling an attacker to set their own role to administrator. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41974 LOW Monitor

Permission control weakness in the service notifications component of Huawei HarmonyOS and EMUI allows a local, unprivileged attacker - with user interaction - to partially degrade availability across a changed scope boundary. Rooted in CWE-264 (Permissions, Privileges, and Access Controls), the flaw permits improper manipulation of notification service permissions, with impact reaching beyond the immediately vulnerable component as indicated by the CVSS Scope:Changed attribute. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the low CVSS score of 3.6 reflects constrained real-world impact limited to availability.

Privilege Escalation Emui
NVD
CVSS 3.1
3.6
EPSS
0.0%
CVE-2026-47725 Go HIGH PATCH GHSA This Week

Cross-site request forgery in nebula-mesh's admin web UI (versions <= 0.3.2) lets a remote attacker trigger privileged operator actions - CA signing, API key minting, operator disablement, server-setting changes, and forced logout - when a logged-in operator visits an attacker-controlled page. SameSite=Lax on the session cookie does not block top-level cross-site form POSTs, sibling-subdomain attackers, or the GET /ui/logout route, so the impact is privilege escalation rather than nuisance. No public exploit identified at time of analysis beyond the working reproducer in the advisory itself.

CSRF XSS Privilege Escalation
NVD GitHub
EPSS
0.0%
CVE-2026-47724 Go CRITICAL PATCH GHSA Act Now

Privilege escalation and cross-tenant resource takeover in juev/nebula-mesh versions prior to v0.3.4 allow any authenticated low-privilege operator to mint admin API keys, hijack other operators' hosts via the reenroll endpoint, and perform unauthorized CRUD across hosts, networks, and firewall rules. The `/api/v1/*` route surface trusts the bearer token for authorization without enforcing per-CA ownership checks that the Web UI applies, breaking the per-operator CA tenancy model from ADR 0002. No public exploit identified at time of analysis, though a detailed exploit chain with working curl commands is published in the GHSA advisory.

Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-44119 MEDIUM PATCH This Month

Privilege escalation in Apache HTTP Server 2.4.0 through 2.4.67 allows local users with .htaccess write access to read arbitrary files using the privileges of the httpd daemon process, exploiting improper privilege management (CWE-269). The attack vector is local, requires low privileges, and impacts only confidentiality - no integrity or availability impact is present. No public exploit code and no active exploitation have been identified; SSVC classifies technical impact as partial and the vulnerability as non-automatable, consistent with the targeted, local nature of the attack.

Privilege Escalation Apache Red Hat Apache HTTP Server
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-9851 HIGH This Week

Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-26422 HIGH PATCH This Week

Local privilege escalation in clash-verge-service-ipc before 2.3.0 allows unprivileged local users on macOS and Linux to interact with a world-reachable IPC socket exposed by the privileged Clash Verge service, enabling them to invoke service operations that run with elevated rights. The upstream fix (PR #23) restricts IPC permissions to 0750 on the directory and 0660 on the socket, and the patched dependency was incorporated into the Clash Verge Rev desktop client. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Privilege Escalation Clash Verge Service Ipc
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
EPSS 0% CVSS 8.2
HIGH This Week

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, where an unauthenticated attacker with logon access to the underlying host can take over the PeopleTools instance. Oracle rates this 8.4 CVSS with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. The local attack vector keeps remote internet-based mass exploitation unlikely, but any user who can log on to the PeopleTools server should be treated as a critical risk.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow Memory Corruption
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In Write of msg_to_host_buffer.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In OSMMapPMRGeneric of pmr_os.c, there is a possible way to leverage a system call to system call to maliciously expand the VMA out of bounds due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation
NVD
EPSS 0% CVSS 7.8
Awaiting Data

In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow
NVD
EPSS 0% CVSS 7.8
Awaiting Data

In lwis_device_external_event_emit of lwis_event.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow Denial Of Service
NVD
EPSS 0% CVSS 7.8
Awaiting Data

In lwis_io_buffer_write of lwis_io_buffer.c, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Buffer Overflow
NVD
EPSS 0% CVSS 7.8
Awaiting Data

In edgetpu_sync_fence_group_shutdown() of edgetpu-dmabuf.c, there is a possible elevation of privilege due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Denial Of Service
NVD
EPSS 0% CVSS 7.8
Awaiting Data

In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Google
NVD
EPSS 0% CVSS 7.3
Awaiting Data

In RtpPacket::decodePacket, there is a possible out of bounds access due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Privilege Escalation
NVD
EPSS 0% CVSS 7.0
Awaiting Data

In multiple functions of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Denial Of Service
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Bootstrap token replay in OpenClaw before version 2026.5.12 permits callers holding a pending bootstrap token to resubmit that token with a broader scope than originally requested, bypassing intended pairing authority limits. The flaw, rooted in incorrect privilege assignment (CWE-266), exploits the gap between token issuance and administrative approval to escalate pairing access. No public exploit code has been identified and the vulnerability carries a CVSS 4.0 score of 2.3, reflecting significant mitigating factors including high attack complexity, a required target precondition, and passive user interaction - making this a low real-world priority outside environments with high-value pairing workflows.

Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Privilege escalation in OpenClaw before 2026.4.25 allows authenticated low-privileged users to inherit wildcard ownerAllowFrom authorization state across channel boundaries, enabling execution of owner-level commands outside their intended channel scope on both internal and webchat command paths. The flaw (CWE-863) produces high integrity impact (VI:H per CVSS 4.0) without confidentiality or availability consequences, as the attacker gains unauthorized administrative command execution rather than data access. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 6.0 reflects meaningful but condition-dependent risk.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Privilege escalation in OpenClaw before 2026.5.7 allows any user with a Discord account to assume the identity of a privileged Discord user authorized in the agent's allowFrom policy by simply renaming their account, because the access-control check matches on mutable display names rather than immutable Discord user IDs (snowflakes). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but exploitation is trivial for anyone who can read the target policy.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Privilege escalation in OpenClaw before 2026.5.6 allows authenticated Gateway operators holding operator.write access to modify global configuration that should be restricted exclusively to operator.admin privileges. The root cause (CWE-266: Incorrect Privilege Assignment) lies in insufficient scope validation within the Active Memory write scope, which fails to enforce the boundary between the write and admin privilege tiers. No public exploit has been identified at time of analysis; however, the network-accessible attack vector (AV:N, PR:L) means any authenticated operator-level account across the deployment is a viable exploitation path with low attack complexity.

Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions. Rated high severity (CVSS 7.0). This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Emc Vxrail Appliance
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.

Python Privilege Escalation Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Sandbox escape with information disclosure in Mozilla Firefox's Process Sandboxing component allows a remote attacker to break out of the browser sandbox and read sensitive data from the host environment when a user visits attacker-controlled content. Affected versions span all Firefox releases prior to 152 and all Firefox ESR releases prior to 140.12, patched by Mozilla in mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis and SSVC signals no current exploitation activity, keeping real-world urgency at moderate priority despite the scope-changing nature of the flaw.

Privilege Escalation Mozilla Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in the WebRender graphics component of Mozilla Firefox enables remote attackers to elevate privileges within the browser sandbox when a victim loads malicious web content. Mozilla has patched the issue in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, and no public exploit has been identified at time of analysis.

Privilege Escalation Mozilla
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows an authenticated user with Agent-level access or higher to chain three independent flaws and overwrite a WordPress Administrator's password without invoking any Administrator-only API. Wordfence-reported flaw with no public exploit identified at time of analysis, though source code locations of all three vulnerable code paths are referenced in the disclosure.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Local privilege escalation in Nokia SR Linux (multiple release branches prior to 23.10.8, 24.10.6, and 25.7.2) allows an authenticated local user to execute arbitrary commands with superuser (root) privilege. Rooted in CWE-269 (Improper Privilege Management), this flaw enables a user who has already obtained a local session on the network OS to break out of their assigned privilege boundary and gain full control of the system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, Nokia has confirmed a patch and self-reported the issue.

Privilege Escalation Nokia Nokia Sr Linux
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Local privilege escalation in Nokia SR Linux affects multiple release trains and allows an already-authenticated user holding elevated local privileges to execute arbitrary commands as superuser by exploiting unsanitized format string handling (CWE-134). The attack vector is local and requires high prior privileges (CVSS AV:L/PR:H), significantly limiting the exposure surface compared to a network-exploitable flaw. No public exploit code and no CISA KEV listing have been identified at time of analysis; Nokia has released patches across all affected branch lines.

Privilege Escalation Nokia Sr Linux
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Privilege escalation to SYSTEM in Sony Optical Disc Archive Software for Windows 5.5.3 and earlier arises from incorrect default filesystem permissions (CWE-276), enabling a local low-privileged attacker to plant or replace executable content that the software later runs with SYSTEM-level authority. Reported by JPCERT/CC and tracked under JVN#79926428, the vulnerability is classified as local with passive user interaction required (CVSS 4.0 AV:L/UI:P/AT:P), limiting opportunistic mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Privilege Escalation Microsoft RCE +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation and denial of service in HP One Agent software on HP PC products allow authenticated low-privileged users to gain elevated rights or disrupt the agent. HP has acknowledged the issue and is releasing software updates as mitigation. No public exploit identified at time of analysis, and the flaw is not listed on CISA KEV.

Privilege Escalation HP Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer accounts to elevate their permissions within the multivendor marketplace, potentially gaining vendor or administrative capabilities. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Dokan
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low-privileged contributor accounts to elevate to higher-privileged roles, according to a Patchstack advisory. CVSS 3.1 scores this 7.5 (High) with full confidentiality, integrity, and availability impact, though high attack complexity and required low privileges constrain trivial exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Latepoint
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Unauthenticated privilege escalation in the Listdom WordPress plugin versions 5.5.0 and earlier allows remote attackers to elevate privileges without any authentication or user interaction. The flaw is tracked under CWE-266 (Incorrect Privilege Assignment) and was reported by Patchstack; no public exploit identified at time of analysis. Affected sites running this Webilia-developed directory listing plugin face risk of unauthorized account or capability elevation through exposed plugin endpoints.

Privilege Escalation Listdom
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Amelia
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated privilege escalation in the WP BASE Booking WordPress plugin (versions through 5.9.0) allows remote attackers to elevate privileges without credentials, with potential to fully compromise affected WordPress sites. The flaw is rated CVSS 8.1 (high) with no public exploit identified at time of analysis, but the unauthenticated nature and high impact on confidentiality, integrity, and availability make it a notable risk for sites running the plugin.

Privilege Escalation Wp Base Booking
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in the Datalogics Ecommerce Delivery WordPress plugin (versions ≤ 2.6.62) allows remote attackers to gain elevated privileges on affected WordPress sites without any credentials or user interaction. The flaw, tracked by Patchstack and assigned a CVSS 9.8, enables full compromise of site integrity and confidentiality; no public exploit identified at time of analysis, but the network-reachable, no-auth nature makes opportunistic exploitation likely once details circulate.

Privilege Escalation Datalogics Ecommerce Delivery
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the B Blocks WordPress plugin through version 2.0.31 allows authenticated users with Contributor-level access to elevate their privileges on the affected site. Reported by Patchstack and tracked as EUVD-2026-36965, the issue carries a CVSS 3.1 score of 8.8 reflecting full confidentiality, integrity, and availability impact once a low-privileged WordPress account is obtained. No public exploit identified at time of analysis, but the low attack complexity and lack of required user interaction make weaponization straightforward once an exploitation primitive is published.

Privilege Escalation B Blocks
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in the WooCommerce Cart Abandonment Recovery WordPress plugin before version 2.1.0 allows an authenticated shop manager to elevate privileges beyond their intended role on affected WordPress sites. The flaw, tracked as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.2 (High) score and has a vendor-released patch in 2.1.0, with no public exploit identified at time of analysis.

Privilege Escalation WordPress Woocommerce Cart Abandonment Recovery
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in iControlWP WordPress plugin versions 5.5.3 and earlier allows remote attackers to gain elevated privileges on affected WordPress sites without authentication. Reported by Patchstack and rated CVSS 9.8, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and impacts the worpit-admin-dashboard-plugin distribution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Icontrolwp
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Privilege escalation in the AI Engine WordPress plugin (Meow Apps) through version 3.4.9 allows authenticated users with Editor-level access to elevate their privileges to Administrator. CVSS rates this 7.2 (High) given high privileges required but full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Privilege Escalation Ai Engine
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Authentication token cache file exposure in Kiro IDE on macOS and Linux allows any local user to read credentials belonging to other users due to world-readable file permissions (0644) instead of the security-appropriate owner-only permissions (0600). All versions before 0.11.133 are affected on UNIX-based platforms; the vulnerability is confirmed by AWS via security bulletin 2026-045 and has been assigned CWE-276 (Incorrect Default Permissions). No public exploit code has been identified at time of analysis, but exploitation requires no technical sophistication - only filesystem read access on a shared system.

Privilege Escalation Apple Kiro Ide
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

DOM Clobbering and HTTP Transfer Cache poisoning in Angular's Client Hydration (provideClientHydration) allows remote attackers to inject arbitrary JSON into the TransferState by hijacking the predictable 'ng-state' element ID. Affected versions are @angular/core 20.x through 22.x prior to the fixes, and the flaw can be leveraged for DOM-based XSS, privilege escalation, or UI hijacking when applications bind untrusted input to element id attributes. No public exploit identified at time of analysis, but a vendor patch and detailed advisory (GHSA-rgjc-h3x7-9mwg) are available.

Privilege Escalation XSS
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the ThemeGrill Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows authenticated low-privileged users to elevate their permissions to higher roles, including administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 8.8 with high confidentiality, integrity, and availability impact across the WordPress instance. No public exploit identified at time of analysis, and the Patchstack disclosure is the sole reference currently available.

Privilege Escalation Masteriyo Lms
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS +2
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS +2
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in multiple Ricoh and Konica Minolta printer drivers on Windows hosts allows an authenticated low-privileged user to gain higher privileges by supplying a specially crafted driver component. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), and at time of analysis no public exploit identified at time of analysis. CVSS 4.0 of 8.5 reflects high confidentiality, integrity, and availability impact despite requiring local access.

Privilege Escalation Multiple Printer Drivers
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Iru, Inc Kandji Agent versions prior to 4.7.5(5374) allows a local attacker to invoke restricted agent functionality by exploiting a client-side validation gap. The flaw maps to CWE-269 (Improper Privilege Management) and carries a CVSS 8.4 rating due to high impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS is low at 0.14%.

Privilege Escalation N A
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

Local privilege escalation in Microvirt MEmu Android Emulator 9.2.7.0 allows a low-privileged local user to abuse the MemuService.exe component to gain elevated rights on the host Windows system. Mapped to CWE-269 (Improper Privilege Management), with no public exploit identified at time of analysis and an EPSS score of 0.21% indicating low predicted exploitation likelihood. Researcher PoC repository exists on GitHub (sec-zone/CVE-2026-36213) but active exploitation has not been reported.

Privilege Escalation Google N A
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. No public exploit is identified at time of analysis, but successful exploitation yields cluster-level privilege escalation, reflected in the vendor-assigned CVSS 4.0 subsequent-system impact of SC:H/SI:H.

Grafana Path Traversal Kubernetes +2
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.3 allows attackers with access to a Slack account to spoof identity by changing their mutable Slack display name to match an allowFrom policy entry, gaining agent access intended for another user. The root cause is authentication binding to a mutable identifier (CWE-290) rather than a stable Slack user ID. No public exploit identified at time of analysis, though an upstream advisory (GHSA-c29c-2q9c-pc86) and VulnCheck writeup describe the flaw in detail.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in MISP (Malware Information Sharing Platform) allows an authenticated organization administrator to target site administrator accounts within their own organization via the administrative email functionality, enabling privileged actions such as triggering a password-reset workflow against a higher-privileged user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. Successful exploitation results in full takeover of the targeted site admin account and complete compromise of the MISP instance.

Privilege Escalation Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Arbitrary file write in kitty terminal versions prior to 0.47.2 allows a child process running inside a kitty session to redirect writes to attacker-controlled filesystem paths. The root cause is a missing O_NOFOLLOW flag in the os.open() call within kitty's file transmission protocol: between the initial symlink validation stat-check and the actual file open, an attacker can insert a symlink, causing the write to follow it to an arbitrary destination - a classic TOCTOU race. No public exploit code exists and EPSS sits at 0.01% (1st percentile), indicating no observed exploitation; however, successful exploitation enables high-integrity-impact file overwrites that can facilitate local privilege escalation. Version 0.47.2 resolves the issue.

Privilege Escalation Kitty Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-tenant container deletion in the Radius Kubernetes controller (versions <= v0.57.1) allows a tenant with Deployment annotation-edit rights to coerce the high-privilege controller into deleting another tenant's container resource by injecting a forged radapp.io/status JSON blob. The flaw is a classic Confused Deputy (CWE-441/CWE-20) that yields an availability-only impact, is most severe in multi-tenant installs, and currently has publicly available exploit code via the GHSA advisory but no public exploit identified at time of analysis in CISA KEV.

Privilege Escalation Nginx Kubernetes
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Zoom Workplace mobile clients (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler for a custom URL scheme, allowing a remote attacker to elevate privileges over network access. The CVSS 8.1 rating reflects high confidentiality and integrity impact with low-complexity exploitation, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Google Privilege Escalation Apple +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Privilege escalation in the Zoom Workplace mobile app (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler that processes the app's custom URL scheme, allowing an unauthenticated actor to elevate privileges via network access. Zoom self-reported and patched the flaw, and no public exploit identified at time of analysis; EPSS remains very low (0.04%, 12th percentile) and CISA SSVC marks exploitation as none, indicating no observed activity despite the 9.8 CVSS score.

Google Privilege Escalation Apple +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Remote Control for Zoom Contact Center for Windows prior to version 7.0.0 allows an authenticated user with local access to elevate privileges due to insufficient verification of data authenticity. The flaw, reported by Zoom and tracked in bulletin ZSB-26009, carries a CVSS 3.1 base score of 7.8 (High) with no public exploit identified at time of analysis. Exploitation requires existing local authenticated access, which limits opportunistic abuse but makes this a strong post-compromise pivot on workstations running the Zoom Contact Center remote control component.

Privilege Escalation Microsoft Remote Control For Zoom Contact Center
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on affected UniFi OS devices and instances due to improper input validation (CWE-20). The CVSS 9.9 score reflects a scope-changing impact spanning UniFi Dream Machine, UniFi Express, UDR, UCG, UNVR, UNAS, and other UniFi OS Server platforms. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Ubiquiti Unifi Os Server +31
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions beyond their authorized scope through the Administration Control Panel (ACP), enabling elevation to full administrative control over the forum. The flaw stems from improper verification of access permissions when permissions are modified via the ACP, and no public exploit identified at time of analysis. With CVSS 7.2 (PR:H) and no KEV listing, this is a meaningful but not panic-level risk that primarily threatens multi-admin phpBB deployments where administrative duties are intentionally segmented.

Authentication Bypass Privilege Escalation Phpbb
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allows remote unauthenticated attackers to elevate privileges on affected sites due to incorrect privilege assignment (CWE-266). With a CVSS 3.1 score of 9.8 and Patchstack-reported network-exploitable characteristics, this issue can lead to full compromise of WooCommerce-backed WordPress stores; no public exploit identified at time of analysis.

Privilege Escalation WordPress Hippoo Mobile App For Woocommerce
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Headless component sandbox via a crafted HTML page. The flaw is rated High severity by Chromium and carries CVSS 9.6 due to scope change and user interaction, though EPSS remains very low (0.03%) and there is no public exploit identified at time of analysis. A vendor patch is available in the stable channel update published June 2026.

Privilege Escalation Google Red Hat
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.

Privilege Escalation Microsoft Google
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.20 allows attackers holding a valid hook token to invoke owner-only MCP tools through the /hooks/agent endpoint, because hook-triggered agent runs are incorrectly granted owner-scoped MCP loopback authority. Successful exploitation lets a low-privileged hook caller execute privileged actions such as modifying persistent cron state, with no public exploit identified at time of analysis.

Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.7 allows authenticated Matrix users to impersonate other identities by manipulating their mutable display name to match policy entries in the allowFrom feature. The flaw stems from authentication relying on a user-controlled attribute (CWE-290), letting attackers receive agent access intended for another Matrix identity. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Local privilege escalation in CyberArk (Idira) Endpoint Privilege Manager Agent versions prior to 26.5 allows low-privileged users on Windows, macOS, and Linux endpoints to abuse improper access controls in high-privileged agent components and execute actions with elevated privileges. The flaw was reported by Palo Alto Networks (CyberArk's parent) and addressed in agent version 26.5.0, with no public exploit identified at time of analysis. Because EPM is itself a privilege-management control, a bypass directly undermines the security posture of every endpoint where it is deployed.

Privilege Escalation Idira Endpoint Privilege Manager
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Apple macOS Sequoia prior to 15.4 allows a locally executing application to bypass launch constraint protections and run malicious code with elevated privileges. The flaw, reported by Apple and tracked as EUVD-2025-210116, carries CVSS 7.8 (local, low complexity, low privileges) and CWE-269 improper privilege management, with no public exploit identified at time of analysis and CISA SSVC marking exploitation status as 'none'.

Privilege Escalation Apple
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.

Checkpoint Privilege Escalation Microsoft +1
NVD VulDB
EPSS 0%
HIGH POC PATCH This Week

Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.

Python Privilege Escalation Code Injection +2
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an authenticated CLI administrator to perform operations at the root OS level, bypassing intended privilege boundaries through a missing authorization control (CWE-862). The risk is substantially gated by the requirement for existing administrative CLI access (CVSS PR:H), making insider threats and compromised admin credentials the primary real-world attack paths. No public exploits or confirmed active exploitation have been identified at time of analysis, and the vendor's own E:U supplemental metric reinforces the low exploitation urgency - though root-level OS access to a firewall represents a severe impact if the prerequisite is met.

Privilege Escalation Authentication Bypass Paloalto +3
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metric E:U (Exploitation Unlikely) further tempers immediate mass-exploitation risk, though the complete local system impact warrants timely patching for multi-user Linux environments.

Microsoft Apple Paloalto +3
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Local privilege escalation in Broadcom's Symantec Endpoint Protection CleanWipe Removal Tool for macOS, versions prior to 16.0.0.65, allows a local attacker to gain administrative control of the affected system. The vulnerability is rooted in CWE-250 (Execution with Unnecessary Privileges), a class where a process operates with more permissions than its function requires, creating an elevation pathway. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog; however, the full confidentiality, integrity, and availability impact on the vulnerable component (VC:H/VI:H/VA:H) underscores the severity of a successful exploitation.

Apple Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows a tenant with permission to create Function or Environment CRDs to obtain CAP_SYS_TIME inside function/runtime containers by bypassing an incomplete capability denylist in the ValidatePodSpecSafety admission webhook. The denylist only blocked six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE) and omitted CAP_SYS_TIME and others, letting tenant-controlled code modify the container's system clock. No public exploit identified at time of analysis, but the upstream patch and CRD diff are publicly visible in fission/fission PR #3465.

Privilege Escalation Kubernetes
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RBAC to define Environment custom resources with privileged, allowPrivilegeEscalation, or dangerous Linux capabilities on the bare Runtime.Container or Builder.Container fields, which bypass the existing PodSpec safety validator and get scheduled under the executor's high-privilege service account. Successful abuse enables container-sandbox escape, host filesystem and network access, and node- or cluster-level compromise. No public exploit identified at time of analysis, but the upstream fix is published in v1.24.0.

Privilege Escalation Kubernetes Fission
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Kubernetes service account token exposure in Fission serverless framework prior to v1.24.0 allows authenticated high-privilege users to escalate cluster privileges via a malicious builder image. Builder pods were created with ServiceAccountName set to fission-builder but without AutomountServiceAccountToken: false, causing the Kubernetes kubelet to automatically inject the fission-builder service account credential into every container in the pod - including untrusted, user-supplied builder images. An attacker with sufficient Fission privileges to register or modify builder environments can exploit this to read the mounted token and authenticate directly to the Kubernetes API using the fission-builder service account's RBAC permissions. No public exploit identified at time of analysis; vendor-released patch is available in v1.24.0.

Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Environment CRD write access to escape the container sandbox and reach node- or cluster-level privileges by setting unfiltered fields in spec.runtime.podSpec or spec.builder.podSpec. Because the fission-executor and fission-builder service accounts schedule pods on the tenant's behalf, attacker-controlled values for hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName are merged into pod specs without validation. No public exploit identified at time of analysis, but the patch's hardening scope (also closing GHSA-wmgg-3p4h-48x7 and GHSA-v455-mv2v-5g92) shows the issue is broader than a single field.

Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Function CRUD permissions to supply an arbitrary Function.spec.podspec that the Container Executor merges into the executor-built podspec, resulting in a Deployment whose pods can break the container sandbox and reach node or cluster level. No public exploit identified at time of analysis, but the upstream fix (PR #3391) explicitly enumerates host namespaces, privileged contexts, hostPath mounts, service account overrides, and dangerous Linux capabilities as the abused fields. CVSS 9.9 with scope change (S:C) reflects that a low-privilege tenant can pivot beyond its own RBAC boundary.

Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environment custom resources to abuse unvalidated podSpec passthrough fields (Environment.spec.runtime.podSpec and spec.builder.podSpec), causing MergePodSpec to propagate dangerous fields - notably AutomountServiceAccountToken - into the generated builder/runtime pods. Because the fission-builder ServiceAccount token then becomes accessible from a user-supplied container, an attacker can pivot from a Fission tenant into broader Kubernetes cluster privileges (CVSS 9.9, Scope:Changed). No public exploit identified at time of analysis.

Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Apache OFBiz versions prior to 24.09.07 allows a low-privileged authenticated user to elevate their permissions to a higher-privileged role, leading to full compromise of confidentiality, integrity, and availability of the ERP system. The flaw is rooted in improper authorization (CWE-285) and is exploitable remotely over the network with low complexity once valid low-tier credentials are held. No public exploit identified at time of analysis, and EPSS scoring (0.02%) plus CISA SSVC (Exploitation: none) suggest no observed exploitation activity yet.

Privilege Escalation Apache Authentication Bypass +1
NVD VulDB
EPSS 0%
HIGH PATCH This Week

Drift-detection logic flaw in the @hulumi/drift npm package (versions < 1.4.0) causes the verdict classifier to conflate adapter failure with a clean result, producing cached false-negative 'None / none' verdicts for up to six hours and false-positive incident-severity 'Mixed / high' or 'ConsoleBreakGlass / high' verdicts based on probe liveness rather than CloudTrail evidence. Consumers running drift detection in CI or cron pipelines could silently miss real console-break-glass mutations or be paged on routine provider-version churn. No public exploit identified at time of analysis; the issue is a CWE-755 improper-exception-handling defect rather than a remote attack primitive.

Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users on the host to gain root-level capabilities by abusing a TOCTOU race in the privileged helper's XPC client validation. The com.slatedigital.connect.privileged.helper.tool2 service identifies callers by PID and then queries code-signing information, but PID reuse lets an attacker substitute a trusted process between check and use. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the technical pattern is well-known on macOS and a SEC Consult advisory describes the flaw in detail.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users to execute commands as root by connecting to the privileged XPC helper service with a self-signed certificate whose subject OU matches the expected value. The flaw stems from improper certificate validation (CWE-296) in the helper's client authorization logic, which fails to verify the certificate chains to a trusted code-signing authority. No public exploit is identified in CISA KEV at time of analysis, and EPSS reflects very low (0.01%) near-term exploitation probability, but a detailed vendor-lab advisory is publicly available.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in the Doctreat Core WordPress plugin (versions ≤ 1.6.8) allows remote attackers to register accounts directly as administrators by abusing insufficient role validation in the doctreat_process_registration() function. With a CVSS of 9.8 and trivial exploitability (AV:N/AC:L/PR:N/UI:N), full site takeover is possible without credentials, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV.

Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege escalation in the ansible.posix collection's authorized_key module allows an unprivileged local user to redirect root-owned file ownership changes to arbitrary system paths via symlink attacks in ~/.ssh. The module's keyfile() function calls os.chown() instead of os.lchown() and omits O_NOFOLLOW when opening files, so a pre-staged symlink is followed during privileged execution. No public exploit identified at time of analysis, but the technique is a well-understood TOCTOU/symlink class with a moderate-to-high CVSS (7.3).

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Omnissa Workspace ONE Assist for macOS allows an authenticated local user with low privileges to escalate to higher privileges through a path traversal weakness (CWE-22). The flaw carries a CVSS 7.8 (High) rating with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The vulnerability is tracked under Omnissa advisory OMSA-2026-0001 and is specific to the macOS build of the Assist remote-support agent.

Apple Path Traversal Privilege Escalation
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local privilege escalation in Waves Central for macOS (13.0.9 through 16.5.5) allows an unprivileged local user to gain root code execution by exploiting a time-of-check/time-of-use race in the privileged helper's XPC client validation. The helper trusts the connecting process's PID to verify code-signing identity, but PID reuse permits an attacker-controlled process to masquerade as a legitimate Waves client. SSVC reports a public proof-of-concept exists; the issue is not listed in CISA KEV.

Apple Privilege Escalation RCE
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Waves Central for macOS versions 13.0.9 through 16.5.5 allows an unprivileged user to gain root code execution by injecting a malicious dylib into a trusted XPC client process via DYLD_INSERT_LIBRARIES. The injected code then abuses the product's privileged helper service to perform operations as root. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), consistent with a local-only macOS desktop attack surface.

Apple RCE Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's net/sched act_ct traffic control action stems from a use-after-free in tcf_ct_flow_table_get(), where rhashtable_lookup_fast() releases the RCU read lock before refcount_inc_not_zero() can pin the returned ct_ft object. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but Trend Micro ZDI provided detailed root-cause analysis and stable-tree patches are merged across 5.10 through 6.18 lines. Successful exploitation grants attacker-controlled kernel memory access enabling privilege escalation to root.

Trend Micro Linux Privilege Escalation +2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection and privilege escalation in TYPO3 CMS 14.0.0 through 14.3.3 allow authenticated backend users holding write permissions on the form_definition table to bypass the Form Framework's persistence validation by submitting form configurations directly through DataHandler. Successful exploitation re-opens the attack class originally fixed in TYPO3-CORE-SA-2018-003, enabling injection of arbitrary form configurations that yield SQLi and elevation of privileges. No public exploit identified at time of analysis; not listed in CISA KEV.

Privilege Escalation SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Local privilege escalation in Siemens SINEC INS (versions prior to V1.0 SP2 Update 6) stems from a binary shipped with the Linux cap_dac_override capability, which bypasses filesystem discretionary access control checks. An authenticated local attacker can leverage this overly broad capability to read or modify any file on the system, ultimately obtaining root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Sinec Ins
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Events Calendar for GeoDirectory WordPress plugin (versions up to and including 2.3.28) allows authenticated Subscriber-level users to elevate to Administrator by abusing the ajax_ayi_action() AJAX handler, which writes attacker-controlled POST parameters directly into the wp_capabilities user meta key. The flaw stems from insufficient input filtering (strip_tags/esc_sql with no allow-list) on the type and postid fields before they reach update_user_meta(), enabling an attacker to set their own role to administrator. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 3.6
LOW Monitor

Permission control weakness in the service notifications component of Huawei HarmonyOS and EMUI allows a local, unprivileged attacker - with user interaction - to partially degrade availability across a changed scope boundary. Rooted in CWE-264 (Permissions, Privileges, and Access Controls), the flaw permits improper manipulation of notification service permissions, with impact reaching beyond the immediately vulnerable component as indicated by the CVSS Scope:Changed attribute. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the low CVSS score of 3.6 reflects constrained real-world impact limited to availability.

Privilege Escalation Emui
NVD
EPSS 0%
HIGH PATCH This Week

Cross-site request forgery in nebula-mesh's admin web UI (versions <= 0.3.2) lets a remote attacker trigger privileged operator actions - CA signing, API key minting, operator disablement, server-setting changes, and forced logout - when a logged-in operator visits an attacker-controlled page. SameSite=Lax on the session cookie does not block top-level cross-site form POSTs, sibling-subdomain attackers, or the GET /ui/logout route, so the impact is privilege escalation rather than nuisance. No public exploit identified at time of analysis beyond the working reproducer in the advisory itself.

CSRF XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation and cross-tenant resource takeover in juev/nebula-mesh versions prior to v0.3.4 allow any authenticated low-privilege operator to mint admin API keys, hijack other operators' hosts via the reenroll endpoint, and perform unauthorized CRUD across hosts, networks, and firewall rules. The `/api/v1/*` route surface trusts the bearer token for authorization without enforcing per-CA ownership checks that the Web UI applies, breaking the per-operator CA tenancy model from ADR 0002. No public exploit identified at time of analysis, though a detailed exploit chain with working curl commands is published in the GHSA advisory.

Authentication Bypass Privilege Escalation
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Privilege escalation in Apache HTTP Server 2.4.0 through 2.4.67 allows local users with .htaccess write access to read arbitrary files using the privileges of the httpd daemon process, exploiting improper privilege management (CWE-269). The attack vector is local, requires low privileges, and impacts only confidentiality - no integrity or availability impact is present. No public exploit code and no active exploitation have been identified; SSVC classifies technical impact as partial and the vulnerability as non-automatable, consistent with the targeted, local nature of the attack.

Privilege Escalation Apache Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in clash-verge-service-ipc before 2.3.0 allows unprivileged local users on macOS and Linux to interact with a world-reachable IPC socket exposed by the privileged Clash Verge service, enabling them to invoke service operations that run with elevated rights. The upstream fix (PR #23) restricts IPC permissions to 0750 on the directory and 0660 on the socket, and the patched dependency was incorporated into the Clash Verge Rev desktop client. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Privilege Escalation Clash Verge Service Ipc
NVD GitHub VulDB
Prev Page 4 of 148 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy