Privilege Escalation
Monthly
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by loading a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
Unauthorized data modification in YayMail WooCommerce Email Customizer WordPress plugin allows unauthenticated attackers to modify email templates, potentially enabling phishing attacks against customers.
Enforce Recovery Key Portal is affected by incorrect permission assignment for critical resource (CVSS 6.5).
Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contains hardcoded credentials (CVE-2026-22769, CVSS 10.0) that allow unauthenticated remote attackers with knowledge of the credentials to gain root-level access to the underlying operating system. KEV-listed, this vulnerability exposes disaster recovery infrastructure to complete compromise, potentially affecting the integrity of backup and replication data.
Improper file permissions on system binaries in Glory RBG-100 recycler systems running ISPK-08 software allow local attackers to overwrite root-owned executables and achieve privilege escalation. An unprivileged user with local access can modify these world-writable binaries to execute arbitrary commands with root privileges. No patch is currently available for this vulnerability.
Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and performs an insecure log file delete operation in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link, a related issue to CVE-2023-28892. [CVSS 8.7 HIGH]
Remote privilege escalation in JingDong JD Cloud Box AX6600 firmware through improper access controls in the jdcapp_rpc service allows authenticated attackers to escalate privileges over the network. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The issue affects firmware versions up to 4.5.1.r4533 with no patch currently available.
Ax6600 Firmware versions up to 4.5.1. contains a vulnerability that allows attackers to Remote Privilege Escalation (CVSS 6.3).
Remote privilege escalation in JingDong JD Cloud Box AX6600 firmware (up to version 4.5.1.r4533) allows authenticated remote attackers to escalate privileges through manipulation of the web_get_ddns_uptime function in the jdcweb_rpc component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Flos Freeware Notepad2 versions 4.2.22 through 4.2.25 contain an uncontrolled search path vulnerability in Msimg32.dll that allows local attackers with user-level privileges to achieve code execution and system compromise. Exploitation requires high complexity and local access, but successful attacks can result in complete system confidentiality, integrity, and availability breaches. No patch is currently available, and the vendor has not responded to disclosure attempts.
eNet SMART HOME server has a privilege escalation vulnerability enabling low-privileged users to gain admin access to the home automation system.
eNet Smart Home server versions 2.2.1 and 2.3.1 suffer from missing authorization checks in the resetUserPassword JSON-RPC method, allowing any authenticated low-privileged user to reset passwords for administrative accounts without proper verification. Public exploit code exists for this vulnerability, enabling attackers to achieve immediate privilege escalation and gain full administrative control over the smart home system. No patch is currently available, leaving deployed instances vulnerable to account takeover attacks.
Unidocs ezPDF DRM/Reader versions 2.0 and 3.0.0.4 on 32-bit systems contain an untrusted search path vulnerability in SHFOLDER.dll that could allow a local attacker with limited privileges to achieve arbitrary code execution through DLL hijacking. Public exploit code exists for this vulnerability, though exploitation is complex and requires local access. No patch is currently available from the vendor.
Ecwid by Lightspeed Ecommerce Shopping Cart (WordPress plugin) versions up to 7.0.7. is affected by improper privilege management (CVSS 8.8).
Privilege escalation in Truelysell Core WordPress plugin <= 1.8.7. Insufficient role validation allows elevation.
Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. An attacker can trigger login requests for arbitrary users and extract valid authentication tokens during the window before file cleanup occurs.
The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. [CVSS 8.8 HIGH]
Local privilege escalation in Calero VeraSMART versions before 2026 R1 stems from hardcoded AES encryption keys embedded in Veramark.Framework.dll that protect service account credentials stored in app.settings. An attacker with local system access can extract these static keys, decrypt the stored passwords, and use the recovered credentials to authenticate as the service account, potentially gaining elevated privileges depending on that account's permissions. No patch is currently available for this vulnerability.
Local privilege escalation in Genetec Sipelia Plugin. An authenticated low-privileged Windows user could exploit this vulnerability to gain elevated privileges on the affected system.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables module allows local attackers with unprivileged access to cause memory corruption and denial of service through an inverted logic check in catchall map element activation during failed transactions. The flaw occurs in nft_map_catchall_activate() which incorrectly processes already-active elements instead of inactive ones, potentially leading to privilege escalation or system crash. No patch is currently available.
Flexcity versions before 1.0.36 contain an authentication bypass vulnerability that allows authenticated users to escalate their privileges through an alternate access path. An attacker with valid credentials can exploit this flaw to gain unauthorized elevated access to the system. No patch is currently available.
Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36. [CVSS 8.8 HIGH]
Intego Personal Backup, a macOS backup utility that allows users to create scheduled backups and bootable system clones, contains a local privilege escalation vulnerability.
Intego Log Reporter, a macOS diagnostic utility bundled with Intego security products that collects system and application logs for support analysis, contains a local privilege escalation vulnerability.
FrankenPHP versions prior to 1.11.2 fail to properly isolate session data between worker requests, enabling cross-user session fixation where an attacker can read sensitive $_SESSION information intended for other users. This high-severity flaw affects multi-request worker mode deployments and has public exploit code available. A patched version 1.11.2 is available and should be deployed immediately.
NextVPN 4.10 contains an insecure file permissions vulnerability that allows local users to modify executable files with full access rights. Attackers can replace system executables with malicious files to gain SYSTEM or Administrator privileges through unauthorized file modification. [CVSS 7.8 HIGH]
A DLL hijacking vulnerability in Doc Nav could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. [CVSS 7.3 HIGH]
Freepbx versions up to 17.0.5 contains a vulnerability that allows attackers to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX tha (CVSS 7.5).
Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.
M-Track Duo HD version 1.0.0 installer is vulnerable to DLL hijacking due to improper library search path handling, enabling local attackers to execute arbitrary code with administrator privileges. An attacker with local access and user interaction can exploit this vulnerability by placing malicious DLLs in predictable locations to gain full system compromise. No patch is currently available for this high-severity vulnerability.
Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. [CVSS 8.8 HIGH]
D-Link products using BusyBox are vulnerable to privilege escalation through malicious tar archives containing unvalidated symlink or hardlink entries that extract files outside the intended directory. An attacker with local access can craft a specially crafted archive to modify critical system files when extraction occurs with elevated privileges, potentially gaining unauthorized system access. No patch is currently available for this vulnerability.
Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. [CVSS 7.6 HIGH]
Incorrect permission assignment in AMD µProf may allow a local user-privileged attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
A DLL hijacking vulnerability in Vivado could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. [CVSS 7.3 HIGH]
A DLL hijacking vulnerability in the AMD Software Installer could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]
The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...
A buffer overflow in the AMD Secure Processor (ASP) bootloader could allow an attacker to overwrite memory, potentially resulting in privilege escalation and arbitrary code execution.
Windows Remote Desktop contains an improper privilege management vulnerability (CVE-2026-21533, CVSS 7.8) enabling authorized local attackers to escalate to SYSTEM. KEV-listed, this vulnerability in the RDP subsystem is particularly concerning in environments where Remote Desktop is widely used, as it can be chained with RDP session access for complete system compromise.
Incorrect default permissions for some Intel(R) Chipset Software before version 10.1.20266.8668 or later. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with...
Incorrect default permissions for some Intel(R) Memory and Storage Tool before version 2.5.2 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special i...
Incorrect permission assignment for critical resource for some System Firmware Update Utility (SysFwUpdt) for Intel(R) Server Boards and Intel(R) Server Systems Based before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result ...
Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. [CVSS 7.9 HIGH]
Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data corruption. [CVSS 3.3 LOW]
Incorrect default permissions for some Intel(R) Graphics Driver software within Ring 2: Privileged Process may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. [CVSS 6.7 MEDIUM]
Uncontrolled search path for some AI Playground before version 2.6.1 beta within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowl...
Graphics Software versions up to 25.30.1702.0 contains a vulnerability that allows attackers to an escalation of privilege (CVSS 6.7).
Incorrect default permissions for some Intel(R) Battery Life Diagnostic Tool within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. [CVSS 6.7 MEDIUM]
Improper handling of values in the microcode flow for some Intel(R) Processor Family may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. [CVSS 3.9 LOW]
Race condition for some TDX Module within Ring 0: Hypervisor may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. [CVSS 7.9 HIGH]
Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. [CVSS 8.2 HIGH]
Improper buffer restrictions in the firmware for the TDX Module may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. [CVSS 4.7 MEDIUM]
Incorrect default permissions for the Intel(R) Optane(TM) PMem management software before versions CR_MGMT_01.00.00.3584, CR_MGMT_02.00.00.4052, CR_MGMT_03.00.00.0538 within Ring 3: User Applications may allow an escalation of privilege. [CVSS 6.7 MEDIUM]
Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable local code execution. [CVSS 7.5 HIGH]
Uncontrolled search path in some software installer for some VTune(TM) Profiler software and Intel(R) oneAPI Base Toolkits before version 2025.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access w...
Improper conditions check for the Intel(R) Optane(TM) PMem management software before versions CR_MGMT_02.00.00.4052, CR_MGMT_03.00.00.0538 within Ring 3: User Applications may allow an escalation of privilege. [CVSS 6.7 MEDIUM]
Arbitrary code execution with SYSTEM privileges in SINEC NMS User Management Component (all versions prior to V2.15.2.1) stems from improper access controls allowing low-privileged users to modify configuration files and load malicious DLLs. An authenticated attacker can exploit this to achieve complete system compromise. No patch is currently available.
Arbitrary code execution in Siemens SINEC NMS versions prior to V4.0 SP2 can be achieved when a low-privileged user modifies configuration files to load malicious DLLs, resulting in administrative privilege execution. This local vulnerability affects all current deployments and currently has no available patch. An authenticated attacker with local access can exploit this to gain full system compromise.
AXIS Camera Station Pro contained a flaw to perform a privilege escalation attack on the server as a non-admin user. [CVSS 7.8 HIGH]
SAP Business Workflow contains an authorization bypass that allows authenticated administrators to escalate privileges by misusing permissions from lower-sensitivity functions to perform unauthorized high-privilege operations. An attacker with admin credentials can exploit this flaw to compromise data integrity, though confidentiality and availability impacts are limited. No patch is currently available for this vulnerability.
Insufficient authorization checks in SAP Fiori App Manage Service Entry Sheets allow authenticated users to escalate privileges and modify data they should not have access to. The vulnerability affects SAP S/4HANA Core installations and requires user authentication to exploit, limiting the immediate risk but potentially enabling insider threats or account compromise scenarios.
Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.
Endpoint Configuration Toolset Solution is affected by improper link resolution before file access (CVSS 7.8).
Privilege escalation in Cube.js versions 0.27.19 through 1.5.12 allows authenticated attackers to craft specially designed API requests that bypass access controls and gain elevated privileges within the application. This vulnerability affects Cube.js semantic layer deployments and requires only a valid API token to exploit, making it a risk to multi-tenant or role-based access control implementations. No patch is currently available for this HIGH severity issue.
Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. [CVSS 7.8 HIGH]
Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]
Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]
Craft CMS versions 4.0.0-RC1 to 4.17.0 and 5.0 to 5.9.0 contain a privilege escalation vulnerability in the GraphQL API that allows authenticated users with write access to one asset volume to modify or transfer assets across any other volume, including restricted ones they should not access. The vulnerability stems from insufficient authorization validation in the saveAsset mutation, which verifies permissions against the intended volume but fails to confirm the target asset actually belongs to that volume. An attacker with limited asset write permissions can exploit this to gain unauthorized access to and manipulate sensitive assets in protected volumes.
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). [CVSS 5.4 MEDIUM]
GIGABYTE MacroHub improperly executes external applications with elevated privileges, enabling authenticated local users to achieve arbitrary code execution with SYSTEM-level access. This local privilege escalation affects MacroHub users on Windows systems and could allow attackers to fully compromise affected machines. No patch is currently available.
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]
Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.
SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. [CVSS 6.2 MEDIUM]
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.
Local privilege escalation vulnerability via insecure temporary batch file execution in ESET Management Agent [CVSS 6.7 MEDIUM]
Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 6.1).
Permission control vulnerability in the AMS module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]
Harmonyos versions up to 5.1.0 is affected by permissions, privileges, and access controls (CVSS 5.9).
Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 6.3).
Missing bounds check in Android VPU (Video Processing Unit) driver's vpu_mmap allows arbitrary address memory mapping, potentially leading to local privilege escalation on Android devices.
Tanium addressed an incorrect default permissions vulnerability in Enforce. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Benchmark. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Comply. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Discover. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Partner Integration. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Patch. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Performance. [CVSS 6.5 MEDIUM]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by loading a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
Unauthorized data modification in YayMail WooCommerce Email Customizer WordPress plugin allows unauthenticated attackers to modify email templates, potentially enabling phishing attacks against customers.
Enforce Recovery Key Portal is affected by incorrect permission assignment for critical resource (CVSS 6.5).
Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contains hardcoded credentials (CVE-2026-22769, CVSS 10.0) that allow unauthenticated remote attackers with knowledge of the credentials to gain root-level access to the underlying operating system. KEV-listed, this vulnerability exposes disaster recovery infrastructure to complete compromise, potentially affecting the integrity of backup and replication data.
Improper file permissions on system binaries in Glory RBG-100 recycler systems running ISPK-08 software allow local attackers to overwrite root-owned executables and achieve privilege escalation. An unprivileged user with local access can modify these world-writable binaries to execute arbitrary commands with root privileges. No patch is currently available for this vulnerability.
Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and performs an insecure log file delete operation in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link, a related issue to CVE-2023-28892. [CVSS 8.7 HIGH]
Remote privilege escalation in JingDong JD Cloud Box AX6600 firmware through improper access controls in the jdcapp_rpc service allows authenticated attackers to escalate privileges over the network. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The issue affects firmware versions up to 4.5.1.r4533 with no patch currently available.
Ax6600 Firmware versions up to 4.5.1. contains a vulnerability that allows attackers to Remote Privilege Escalation (CVSS 6.3).
Remote privilege escalation in JingDong JD Cloud Box AX6600 firmware (up to version 4.5.1.r4533) allows authenticated remote attackers to escalate privileges through manipulation of the web_get_ddns_uptime function in the jdcweb_rpc component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Flos Freeware Notepad2 versions 4.2.22 through 4.2.25 contain an uncontrolled search path vulnerability in Msimg32.dll that allows local attackers with user-level privileges to achieve code execution and system compromise. Exploitation requires high complexity and local access, but successful attacks can result in complete system confidentiality, integrity, and availability breaches. No patch is currently available, and the vendor has not responded to disclosure attempts.
eNet SMART HOME server has a privilege escalation vulnerability enabling low-privileged users to gain admin access to the home automation system.
eNet Smart Home server versions 2.2.1 and 2.3.1 suffer from missing authorization checks in the resetUserPassword JSON-RPC method, allowing any authenticated low-privileged user to reset passwords for administrative accounts without proper verification. Public exploit code exists for this vulnerability, enabling attackers to achieve immediate privilege escalation and gain full administrative control over the smart home system. No patch is currently available, leaving deployed instances vulnerable to account takeover attacks.
Unidocs ezPDF DRM/Reader versions 2.0 and 3.0.0.4 on 32-bit systems contain an untrusted search path vulnerability in SHFOLDER.dll that could allow a local attacker with limited privileges to achieve arbitrary code execution through DLL hijacking. Public exploit code exists for this vulnerability, though exploitation is complex and requires local access. No patch is currently available from the vendor.
Ecwid by Lightspeed Ecommerce Shopping Cart (WordPress plugin) versions up to 7.0.7. is affected by improper privilege management (CVSS 8.8).
Privilege escalation in Truelysell Core WordPress plugin <= 1.8.7. Insufficient role validation allows elevation.
Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. An attacker can trigger login requests for arbitrary users and extract valid authentication tokens during the window before file cleanup occurs.
The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. [CVSS 8.8 HIGH]
Local privilege escalation in Calero VeraSMART versions before 2026 R1 stems from hardcoded AES encryption keys embedded in Veramark.Framework.dll that protect service account credentials stored in app.settings. An attacker with local system access can extract these static keys, decrypt the stored passwords, and use the recovered credentials to authenticate as the service account, potentially gaining elevated privileges depending on that account's permissions. No patch is currently available for this vulnerability.
Local privilege escalation in Genetec Sipelia Plugin. An authenticated low-privileged Windows user could exploit this vulnerability to gain elevated privileges on the affected system.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables module allows local attackers with unprivileged access to cause memory corruption and denial of service through an inverted logic check in catchall map element activation during failed transactions. The flaw occurs in nft_map_catchall_activate() which incorrectly processes already-active elements instead of inactive ones, potentially leading to privilege escalation or system crash. No patch is currently available.
Flexcity versions before 1.0.36 contain an authentication bypass vulnerability that allows authenticated users to escalate their privileges through an alternate access path. An attacker with valid credentials can exploit this flaw to gain unauthorized elevated access to the system. No patch is currently available.
Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36. [CVSS 8.8 HIGH]
Intego Personal Backup, a macOS backup utility that allows users to create scheduled backups and bootable system clones, contains a local privilege escalation vulnerability.
Intego Log Reporter, a macOS diagnostic utility bundled with Intego security products that collects system and application logs for support analysis, contains a local privilege escalation vulnerability.
FrankenPHP versions prior to 1.11.2 fail to properly isolate session data between worker requests, enabling cross-user session fixation where an attacker can read sensitive $_SESSION information intended for other users. This high-severity flaw affects multi-request worker mode deployments and has public exploit code available. A patched version 1.11.2 is available and should be deployed immediately.
NextVPN 4.10 contains an insecure file permissions vulnerability that allows local users to modify executable files with full access rights. Attackers can replace system executables with malicious files to gain SYSTEM or Administrator privileges through unauthorized file modification. [CVSS 7.8 HIGH]
A DLL hijacking vulnerability in Doc Nav could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. [CVSS 7.3 HIGH]
Freepbx versions up to 17.0.5 contains a vulnerability that allows attackers to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX tha (CVSS 7.5).
Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.
M-Track Duo HD version 1.0.0 installer is vulnerable to DLL hijacking due to improper library search path handling, enabling local attackers to execute arbitrary code with administrator privileges. An attacker with local access and user interaction can exploit this vulnerability by placing malicious DLLs in predictable locations to gain full system compromise. No patch is currently available for this high-severity vulnerability.
Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. [CVSS 8.8 HIGH]
D-Link products using BusyBox are vulnerable to privilege escalation through malicious tar archives containing unvalidated symlink or hardlink entries that extract files outside the intended directory. An attacker with local access can craft a specially crafted archive to modify critical system files when extraction occurs with elevated privileges, potentially gaining unauthorized system access. No patch is currently available for this vulnerability.
Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. [CVSS 7.6 HIGH]
Incorrect permission assignment in AMD µProf may allow a local user-privileged attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
A DLL hijacking vulnerability in Vivado could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. [CVSS 7.3 HIGH]
A DLL hijacking vulnerability in the AMD Software Installer could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]
The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...
A buffer overflow in the AMD Secure Processor (ASP) bootloader could allow an attacker to overwrite memory, potentially resulting in privilege escalation and arbitrary code execution.
Windows Remote Desktop contains an improper privilege management vulnerability (CVE-2026-21533, CVSS 7.8) enabling authorized local attackers to escalate to SYSTEM. KEV-listed, this vulnerability in the RDP subsystem is particularly concerning in environments where Remote Desktop is widely used, as it can be chained with RDP session access for complete system compromise.
Incorrect default permissions for some Intel(R) Chipset Software before version 10.1.20266.8668 or later. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with...
Incorrect default permissions for some Intel(R) Memory and Storage Tool before version 2.5.2 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special i...
Incorrect permission assignment for critical resource for some System Firmware Update Utility (SysFwUpdt) for Intel(R) Server Boards and Intel(R) Server Systems Based before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result ...
Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. [CVSS 7.9 HIGH]
Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data corruption. [CVSS 3.3 LOW]
Incorrect default permissions for some Intel(R) Graphics Driver software within Ring 2: Privileged Process may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. [CVSS 6.7 MEDIUM]
Uncontrolled search path for some AI Playground before version 2.6.1 beta within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowl...
Graphics Software versions up to 25.30.1702.0 contains a vulnerability that allows attackers to an escalation of privilege (CVSS 6.7).
Incorrect default permissions for some Intel(R) Battery Life Diagnostic Tool within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. [CVSS 6.7 MEDIUM]
Improper handling of values in the microcode flow for some Intel(R) Processor Family may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. [CVSS 3.9 LOW]
Race condition for some TDX Module within Ring 0: Hypervisor may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. [CVSS 7.9 HIGH]
Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. [CVSS 8.2 HIGH]
Improper buffer restrictions in the firmware for the TDX Module may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. [CVSS 4.7 MEDIUM]
Incorrect default permissions for the Intel(R) Optane(TM) PMem management software before versions CR_MGMT_01.00.00.3584, CR_MGMT_02.00.00.4052, CR_MGMT_03.00.00.0538 within Ring 3: User Applications may allow an escalation of privilege. [CVSS 6.7 MEDIUM]
Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable local code execution. [CVSS 7.5 HIGH]
Uncontrolled search path in some software installer for some VTune(TM) Profiler software and Intel(R) oneAPI Base Toolkits before version 2025.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access w...
Improper conditions check for the Intel(R) Optane(TM) PMem management software before versions CR_MGMT_02.00.00.4052, CR_MGMT_03.00.00.0538 within Ring 3: User Applications may allow an escalation of privilege. [CVSS 6.7 MEDIUM]
Arbitrary code execution with SYSTEM privileges in SINEC NMS User Management Component (all versions prior to V2.15.2.1) stems from improper access controls allowing low-privileged users to modify configuration files and load malicious DLLs. An authenticated attacker can exploit this to achieve complete system compromise. No patch is currently available.
Arbitrary code execution in Siemens SINEC NMS versions prior to V4.0 SP2 can be achieved when a low-privileged user modifies configuration files to load malicious DLLs, resulting in administrative privilege execution. This local vulnerability affects all current deployments and currently has no available patch. An authenticated attacker with local access can exploit this to gain full system compromise.
AXIS Camera Station Pro contained a flaw to perform a privilege escalation attack on the server as a non-admin user. [CVSS 7.8 HIGH]
SAP Business Workflow contains an authorization bypass that allows authenticated administrators to escalate privileges by misusing permissions from lower-sensitivity functions to perform unauthorized high-privilege operations. An attacker with admin credentials can exploit this flaw to compromise data integrity, though confidentiality and availability impacts are limited. No patch is currently available for this vulnerability.
Insufficient authorization checks in SAP Fiori App Manage Service Entry Sheets allow authenticated users to escalate privileges and modify data they should not have access to. The vulnerability affects SAP S/4HANA Core installations and requires user authentication to exploit, limiting the immediate risk but potentially enabling insider threats or account compromise scenarios.
Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.
Endpoint Configuration Toolset Solution is affected by improper link resolution before file access (CVSS 7.8).
Privilege escalation in Cube.js versions 0.27.19 through 1.5.12 allows authenticated attackers to craft specially designed API requests that bypass access controls and gain elevated privileges within the application. This vulnerability affects Cube.js semantic layer deployments and requires only a valid API token to exploit, making it a risk to multi-tenant or role-based access control implementations. No patch is currently available for this HIGH severity issue.
Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. [CVSS 7.8 HIGH]
Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]
Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]
Craft CMS versions 4.0.0-RC1 to 4.17.0 and 5.0 to 5.9.0 contain a privilege escalation vulnerability in the GraphQL API that allows authenticated users with write access to one asset volume to modify or transfer assets across any other volume, including restricted ones they should not access. The vulnerability stems from insufficient authorization validation in the saveAsset mutation, which verifies permissions against the intended volume but fails to confirm the target asset actually belongs to that volume. An attacker with limited asset write permissions can exploit this to gain unauthorized access to and manipulate sensitive assets in protected volumes.
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). [CVSS 5.4 MEDIUM]
GIGABYTE MacroHub improperly executes external applications with elevated privileges, enabling authenticated local users to achieve arbitrary code execution with SYSTEM-level access. This local privilege escalation affects MacroHub users on Windows systems and could allow attackers to fully compromise affected machines. No patch is currently available.
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]
Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.
SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. [CVSS 6.2 MEDIUM]
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.
Local privilege escalation vulnerability via insecure temporary batch file execution in ESET Management Agent [CVSS 6.7 MEDIUM]
Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 6.1).
Permission control vulnerability in the AMS module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]
Harmonyos versions up to 5.1.0 is affected by permissions, privileges, and access controls (CVSS 5.9).
Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 6.3).
Missing bounds check in Android VPU (Video Processing Unit) driver's vpu_mmap allows arbitrary address memory mapping, potentially leading to local privilege escalation on Android devices.
Tanium addressed an incorrect default permissions vulnerability in Enforce. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Benchmark. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Comply. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Discover. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Partner Integration. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Patch. [CVSS 6.5 MEDIUM]
Tanium addressed an incorrect default permissions vulnerability in Performance. [CVSS 6.5 MEDIUM]