Skip to main content

Privilege Escalation

13290 CVEs technique

Monthly

CVE-2018-25359 HIGH POC This Week

Splinterware System Scheduler Pro 5.12 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by modifying service executable files. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Splinterware System Scheduler Pro
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-9490 MEDIUM This Month

A security vulnerability has been identified in Acer Care Center where the ACCSvc service creates a Named Pipe with a weak Security Descriptor. This vulnerability allows an authenticated local user to connect and send a specially crafted message (message type 0x03) to the pipe, causing the service to crash with exit code 1067 (ERROR_PROCESS_ABORTED). To mitigate this potential local service disruption, Acer requires users to update the software to the latest version.

Privilege Escalation Care Center
NVD VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-9489 HIGH This Week

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

Microsoft Path Traversal RCE Privilege Escalation
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-6419 HIGH This Week

Privilege escalation in the WishList Member WordPress plugin (versions through 3.30.1) allows authenticated subscriber-level attackers to extract the plugin's plaintext REST API Secret Key and use it to create administrator accounts, resulting in full site takeover. The flaw is reachable via a single AJAX call (ajax_get_screen) that lacks capability and nonce checks. No public exploit identified at time of analysis, but the attack path is fully described in the Wordfence advisory and requires only low-privileged authenticated access.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6897 HIGH This Week

Privilege escalation in the Wishlist Member WordPress plugin (versions through 3.30.1) allows any authenticated user with Subscriber-level access or higher to update arbitrary plugin options, including the REST API Secret Key, leading to full site takeover. The flaw stems from a missing capability check in the Team_Accounts::save_settings function, and although no public exploit identified at time of analysis, the low authentication bar and chained admin-account creation path make it a high-priority risk on any WordPress site that permits public registration.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6895 HIGH This Week

Privilege escalation in the WishList Member WordPress plugin versions up to 3.30.1 allows authenticated low-privilege users to obtain the REST API Secret Key via the unprotected 'export_settings' AJAX endpoint and leverage it to register arbitrary administrator accounts. The CVSS 8.8 (High) rating reflects full confidentiality, integrity, and availability impact, and while no public exploit is identified at time of analysis, the discovery by Wordfence - a major WordPress security vendor - typically precedes broader exploitation against the large WordPress plugin ecosystem.

WordPress Information Disclosure Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6898 HIGH This Week

Privilege escalation in the Wishlist Member WordPress plugin (versions ≤3.30.1) allows authenticated Subscriber-level users to overwrite the plugin's REST API Secret Key and abuse it to create administrator accounts, leading to full site takeover. The flaw stems from a missing capability check on the generate_api_key hook handler. No public exploit identified at time of analysis, though Wordfence has published a threat-intel advisory.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23663 HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Entra ID (formerly Azure AD), specifically affecting Microsoft Global Secure Access (GSA), allows remote unauthenticated attackers to gain elevated privileges over the network. The CVSS 7.5 rating reflects high confidentiality impact with no required authentication or user interaction, though no public exploit has been identified at time of analysis. The vector points to a flaw in how identity or access tokens are evaluated, which is particularly sensitive given Entra ID's role as a primary IAM backbone for Microsoft 365 and Azure tenants.

Microsoft Privilege Escalation
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40172 HIGH This Week

Privilege escalation in authentik identity provider versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2 allows an authenticated user holding the change_user permission to assign arbitrary groups - including superuser groups - to any target user via the PATCH /api/v3/core/users/{pk}/ endpoint. The UserSerializer skips the enable_group_superuser check enforced in the dedicated group-management paths, letting delegated user-management roles promote themselves or others to administrator-equivalent privilege. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the trivial attack mechanics (a single PATCH request) make weaponization straightforward for any tenant that has delegated user administration.

Privilege Escalation Authentik
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28445 npm HIGH PATCH GHSA This Week

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.

XSS Privilege Escalation Typebot Io
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-39821 Go CRITICAL PATCH Act Now

Privilege escalation in Go's golang.org/x/net/idna package (all versions before 0.55.0) stems from ToASCII and ToUnicode accepting Punycode labels that decode to an ASCII-only label, so ToUnicode("xn--example-.com") returns "example.com" instead of an error. Applications that perform authorization checks on an ASCII hostname and then convert it to Unicode can be tricked into permitting a name that the direct check would have rejected. This is a library-level flaw (CVSS 9.6, scope-changed) reported by the Go team; there is no public exploit identified at time of analysis and EPSS is very low (0.04%, 14th percentile).

Privilege Escalation Golang Org X Net Idna
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-8353 PHP LOW PATCH This Week

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

XSS Privilege Escalation Concrete Cms
NVD
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-32749 MEDIUM PATCH This Month

Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate directory contents, potentially revealing sensitive files, configuration data, or internal path structures. Both the Appliance and Rack deployment forms are confirmed affected per Dell advisories DSA-2025-434 and DSA-2025-435. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the combination of Information Disclosure and Privilege Escalation tags suggests the exposed directory contents may facilitate further privilege escalation beyond initial information leakage.

Dell Information Disclosure Privilege Escalation Powerflex Manager Appliance Powerflex Manager Rack +1
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9018 HIGH This Week

Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.

WordPress Privilege Escalation Elementor
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8350 PHP HIGH PATCH GHSA This Week

Privilege escalation in Concrete CMS 9.5.0 and earlier allows authenticated users with access to the bulk user assignment dashboard to add arbitrary accounts to the Administrators group and remove existing admins, effectively hijacking site control. The flaw stems from missing authorization checks in bulk_user_assignment.php and was disclosed with a vendor-assigned CVSS v4.0 score of 7.5. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

PHP Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-47101 PyPI HIGH PATCH GHSA This Week

Privilege escalation in LiteLLM proxy versions prior to 1.83.14 allows an authenticated internal_user to elevate to proxy_admin by generating an API key with an attacker-controlled allowed_routes field that grants access to admin-only endpoints. Because the key-generation handler did not verify that the requested routes fell within the caller's own role permissions, the resulting key successfully reaches admin routes and bypasses role-based access control. Publicly available exploit code exists via a Huntr bounty disclosure and gist, and the upstream commits are merged in the v1.83.14-stable release.

Authentication Bypass Privilege Escalation Litellm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46617 Go HIGH PATCH GHSA This Week

Privilege escalation in Fission (Kubernetes serverless framework) versions <= 1.22.0 allows any user able to deploy or update a Function CRD to read every Secret and ConfigMap in the runtime namespace, bypassing the Function.spec.secrets allowlist. The flaw stems from runtime pods running under the namespace-privileged fission-fetcher ServiceAccount whose automounted token is reachable by the user-code container alongside the fetcher sidecar. No public exploit identified at time of analysis, but the vendor-issued advisory (GHSA-85g2-pmrx-r49q) describes a trivially reachable abuse path once a function can be deployed.

Kubernetes Privilege Escalation
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-46490 npm HIGH PATCH GHSA This Week

Privilege escalation in samlify (Node.js SAML library) versions prior to 2.13.0 allows authenticated users to inject arbitrary XML markup into signed SAML assertions because template substitution only escapes attribute contexts, not element text. An attacker with a valid account can supply crafted values in user-controlled fields (e.g., email) that close the AttributeValue element and inject additional saml:Attribute elements (such as role=admin), which the IdP then signs and the SP accepts as trusted. No public exploit identified at time of analysis beyond the vendor-published PoC in the GHSA advisory.

Node.js Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-45208 HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileged code execution to win a race condition in the endpoint protection agent and elevate to higher privileges. The flaw is a time-of-check time-of-use (TOCTOU) weakness (CWE-367) in the Apex One/SEP agent on Windows endpoints, with no public exploit identified at time of analysis and not currently listed in CISA KEV. The vendor has published advisory KA-0023430 with fixed builds.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45207 HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user to elevate to higher privileges by abusing an origin validation flaw in one of the agent's process protection communication mechanisms. No public exploit identified at time of analysis, but the vulnerability is companion to CVE-2026-45206 in a parallel code path, which suggests the underlying class of issue is actively being researched by Trend Micro's own team.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45206 HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate to higher privileges by abusing an origin validation weakness (CWE-346) in one of the agent's process protection communication mechanisms. The flaw is a sibling issue to CVE-2026-45207 affecting a different IPC channel and is reported by Trend Micro itself; no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34930 HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (CWE-346) in one of the agent's process protection mechanisms, allowing a low-privileged local attacker to elevate to SYSTEM-level privileges on affected installations. The flaw was reported by Trend Micro itself and is a sibling issue to CVE-2026-34927, which affects a different process protection mechanism in the same agent. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34929 HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileged code execution to gain elevated rights by exploiting weak origin validation in an inter-process communication channel. No public exploit identified at time of analysis, but the flaw is a sibling to CVE-2026-34927 (different IPC mechanism in the same agent) which raises the likelihood of researcher and adversary interest. Vendor patches are available for both the on-prem 2019 (14.0) line and the SaaS offering.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34928 HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged attacker who already has code execution on the endpoint to elevate to higher privileges by abusing a named pipe that fails to validate the origin of incoming connections. The flaw is companion to CVE-2026-34927 (a sibling issue in a different named pipe) and currently has no public exploit identified at time of analysis, but its presence in widely-deployed endpoint security software materially raises post-compromise risk.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34927 HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privileged user already executing code on the host to elevate to higher privileges by abusing an origin validation weakness in the security agent. The flaw carries a CVSS 7.8 (local, low complexity) and no public exploit identified at time of analysis, but because the agent typically runs with SYSTEM-level rights, successful exploitation yields full host compromise. Trend Micro has issued patched builds (KA-0023430).

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71217 HIGH HOSTED Monitor

An origin validation error vulnerability in the Trend Micro Apex One (mac) agent self-protection mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).

Trend Micro Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71216 HIGH HOSTED Monitor

A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).

Trend Micro Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71215 HIGH HOSTED Monitor

A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).

Trend Micro Privilege Escalation
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-71214 HIGH HOSTED Monitor

An origin validation error vulnerability in the Trend Micro Apex One (mac) agent iCore service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).

Trend Micro Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71213 HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation error (CWE-346) that lets an authenticated low-privileged attacker elevate to higher privileges on the host. Trend Micro has released fixed builds and ZDI has published an advisory (ZDI-26-140); no public exploit identified at time of analysis, though vendor-reported vulnerabilities in endpoint security agents are frequent targets for post-compromise attackers.

Trend Micro Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71212 HIGH PATCH This Week

Local privilege escalation in the Trend Micro Apex One scan engine allows low-privileged users on Windows endpoints to gain elevated privileges by abusing a link-following weakness (CWE-59) in the scanner's file-handling logic. The flaw affects on-premise Apex One 2019 builds prior to 14.0.0.14136 and the SaaS edition prior to 14.0.20315, with a patch available from Trend Micro; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Trend Micro Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-5118 CRITICAL Act Now

Privilege escalation in the Divi Form Builder WordPress plugin (versions ≤5.1.2) allows unauthenticated remote attackers to register administrator accounts by submitting a tampered 'role' parameter in the registration POST body. The plugin trusts the client-supplied role value instead of enforcing the form's configured default_user_role, yielding full WordPress site takeover. No public exploit identified at time of analysis, but the CVSS 9.8 score and trivial exploitability make this a high-priority patch for any site running the plugin with public registration forms.

WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45254 MEDIUM This Month

In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.

Privilege Escalation Freebsd
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48172 CRITICAL POC KEV PATCH THREAT NEWS Act Now

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features.

Privilege Escalation Redis
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-8487 MEDIUM PATCH This Month

Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low-privileged users over the network. Affected versions span the 2025.0.x line before 2025.0.11 and the 2025.1.x line before 2025.1.7. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates that any network-accessible instance running a vulnerable version can be exploited by a legitimately authenticated user with minimal privileges, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Information Disclosure Privilege Escalation Moveit Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-29518 HIGH PATCH This Week

Local privilege escalation in Rsync daemon (versions ≤ 3.4.2) is possible via a TOCTOU symlink race when the daemon is configured with 'use chroot = no'. An authenticated local attacker with write access to a module can swap a parent directory component for a symlink between the receiver's path check and its open() call, redirecting writes outside the module and overwriting sensitive files. No public exploit identified at time of analysis, but the upstream patch in release 3.4.3 and a detailed VulnCheck advisory disclose the precise race window.

Privilege Escalation Rsync
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-7467 HIGH This Week

Privilege escalation in the Read More & Accordion WordPress plugin (versions up to and including 3.5.7) allows authenticated low-privileged users granted import rights through the plugin's role settings to write arbitrary rows into the wp_users and wp_usermeta tables, effectively creating a new administrator account. The flaw stems from the RadMoreAjax::importData function failing to restrict target database tables and to validate imported data. No public exploit identified at time of analysis, though the vulnerability was disclosed by Wordfence threat intelligence researchers.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6456 HIGH This Week

Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

WordPress PHP Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7284 CRITICAL Act Now

Privilege escalation in the Easy Elements for Elementor WordPress plugin (versions up to and including 1.4.4) allows unauthenticated remote attackers to register accounts with the 'administrator' role, granting full site takeover. The flaw exists in the 'easyel_handle_register' function which fails to validate or restrict the user role parameter submitted during registration. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward.

WordPress Privilege Escalation Elementor
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-41054 HIGH PATCH This Week

Local privilege escalation in haveged (HArdware Volatile Entropy Gathering and Expansion Daemon) allows authenticated low-privileged users to escalate to root via the daemon's command socket, which is affected by missing authentication for a critical function (CWE-305). The flaw was disclosed on the oss-security mailing list on 2026-05-20 by Jiri Hladky, with vendor patches available from SUSE and tracking in Debian (bug#1137096); no public exploit identified at time of analysis.

Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34358 HIGH PATCH This Week

Privilege escalation in CtrlPanel hosting billing software (versions ≤1.1.1) allows any authenticated low-privilege user to invoke admin write endpoints because store()/update() controller methods omit the RBAC permission checks present on their corresponding form-display methods. Successful exploitation yields effective admin control over API credentials, coupons, vouchers, partner commissions, shop pricing, server ownership, and user accounts (including roles, credits, passwords, and Pterodactyl linkages). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-34246 MEDIUM PATCH This Month

Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.

PHP XSS Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-8370 HIGH PATCH This Week

Local privilege escalation in Broadcom Automic Automation Agent versions prior to 24.4.4 HF1 allows authenticated low-privileged users on Unix-family systems (Linux x64, Linux Power 64 BE/LE, zLinux, AIX, Solaris x64, Solaris Sparc 64) to abuse the agent's elevated privileges and target programs running with higher rights. The CVSS 4.0 score of 8.5 reflects high confidentiality, integrity, and availability impact achievable from a local foothold, with no public exploit identified at time of analysis.

Broadcom Privilege Escalation
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-47107 HIGH PATCH This Week

Cross-tenant DNS and TLS poisoning in Windmill versions prior to 1.703.2 allows authenticated low-privilege users to write to /etc/hosts, /etc/resolv.conf, and the system CA bundle from inside nsjail script sandboxes, persisting tampered state across every subsequent job on the same worker pod. Because poisoned entries survive between executions, attackers can hijack hostname resolution, perform transparent HTTPS man-in-the-middle, and steal WM_TOKEN JWTs to escalate to workspace-admin in other tenants. Publicly available exploit code exists per SSVC (poc), and CVSS 4.0 rates this 8.6 with high confidentiality and integrity impact.

Privilege Escalation Windmill
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-46424 npm MEDIUM PATCH GHSA This Month

Missing Redis cache invalidation in Budibase's public API role unassignment endpoint allows users with revoked admin, builder, or app-level privileges to retain full access for up to 1 hour (the hardcoded Redis TTL of 3600 seconds). Affected deployments are Budibase versions prior to 3.38.2 running an enterprise license, where the `POST /api/public/v1/roles/unassign` endpoint writes revocations to CouchDB but never calls `cache.user.invalidateUser()`, leaving the authentication middleware to serve stale permissions from Redis. Publicly available exploit code exists within the GHSA-6vp2-6r7m-2jvx advisory; no confirmed active exploitation (not listed in CISA KEV at time of analysis).

Redis Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-45738 Go HIGH PATCH GHSA This Week

Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.

Kubernetes XSS Privilege Escalation
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-8972 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox's WebRTC Audio/Video component allows remote attackers to elevate privileges within the browser context when a user is lured into interacting with a malicious page. The flaw carries a CVSS 8.8 with required user interaction and was addressed in Firefox 151; no public exploit identified at time of analysis and EPSS exploitation probability sits at 0.03% (8th percentile).

Mozilla Privilege Escalation Suse Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8970 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox's Security component allows remote attackers to elevate privileges within the browser when a victim interacts with attacker-controlled content, affecting Firefox versions prior to 151 and Firefox ESR prior to 140.11. With CVSS 8.8 (high) and user interaction required, exploitation is plausible via malicious web content, though EPSS sits at just 0.04% (12th percentile) and no public exploit identified at time of analysis. SSVC rates exploitation as 'none' but flags the issue as automatable with partial technical impact, suggesting concerning scalability if a working exploit emerges.

Mozilla Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8957 HIGH PATCH This Week

Privilege escalation in the Enterprise Policies component of Mozilla Firefox affects versions prior to Firefox 151 and Firefox ESR 140.11, allowing remote attackers who can convince a user to interact with crafted content to elevate privileges within the browser. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.03% (9th percentile). The vulnerability requires user interaction per the CVSS vector, which somewhat constrains real-world weaponization despite the high 8.8 CVSS score.

Mozilla Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8955 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox's DOM Workers component allows remote attackers to elevate privileges within the browser when a victim interacts with a malicious web page. Affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.03% (9th percentile).

Mozilla Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8952 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox via the Application Update component allows remote attackers to gain elevated privileges when a user interacts with malicious content, fixed in Firefox 151. The flaw carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R) and is categorized under CWE-269 (Improper Privilege Management). There is no public exploit identified at time of analysis, and EPSS estimates only a 0.03% probability of exploitation in the next 30 days.

Mozilla Privilege Escalation Suse Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22069 HIGH This Week

Local privilege escalation in OPPO's O+ Connect application stems from missing caller identity validation on a named pipe interface (CWE-266), allowing a low-privileged local user with user interaction to escalate to higher privileges with high availability impact and scope change. The CVSS 3.1 score is 7.3 and the issue was reported by OPPO itself; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Privilege Escalation O Connect
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-32323 HIGH PATCH This Week

Local privilege escalation in Mullvad VPN for macOS versions 2026.1 and earlier allows a user in the admin group to gain root code execution during installation or upgrade. The installer's preinstall script executes binaries from /Applications/Mullvad VPN.app without verifying the bundle's integrity, enabling an admin-group attacker to pre-stage a malicious app bundle that runs as root. No public exploit identified at time of analysis, and the flaw is only triggerable when an installer is run, not on already-installed systems.

Privilege Escalation Apple RCE
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-30118 CRITICAL Act Now

Server-side request forgery in scalar/astro v0.1.13 allows remote unauthenticated attackers to coerce the backend into making HTTP requests to attacker-controlled destinations via the scalar_url query parameter of the Scalar Proxy endpoint. Exploitation can expose authentication cookies and headers forwarded by the proxy, enabling account takeover and potential privilege escalation. Publicly available exploit code exists, though EPSS is low (0.03%) suggesting limited mass exploitation at this time.

Privilege Escalation SSRF N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31070 CRITICAL Act Now

Privilege escalation in LalanaChami Pharmacy Management System (commit 5c3d028) allows any remote unauthenticated attacker to register a new account with administrator privileges by simply including a role parameter in the signup request body. The /api/user/signup endpoint trusts client-supplied role values without server-side validation, granting full administrative access in a single HTTP call. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the trivial nature of the flaw means weaponization is straightforward once anyone notices the gist already documenting the issue.

Privilege Escalation N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34883 MEDIUM This Month

An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to C:\ProgramData\Portrait Displays\CW\data\i1D3\ while running with elevated privileges. Because the installer does not properly validate symbolic links or reparse points at the destination path, an attacker can create a malicious link that redirects the write operation to an arbitrary system location, enabling arbitrary file creation or overwrite with elevated privileges.

Microsoft Dell Privilege Escalation
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45716 npm HIGH PATCH GHSA This Week

Privilege escalation in self-hosted Budibase (@budibase/worker < 3.38.1) allows any authenticated builder-level user to create a global admin account via the POST /api/global/users/onboard endpoint when SMTP is not configured, with the generated password returned directly in the HTTP response. The flaw stems from the onboard route being gated by builderOrAdmin middleware while exposing the same user-creation power as the admin-only invite endpoints, and no public exploit is identified at time of analysis although the GHSA advisory includes a complete, working proof-of-concept curl chain.

Privilege Escalation
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45270 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.

Privilege Escalation PHP RCE CSRF XSS
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-45625 Go CRITICAL PATCH GHSA Act Now

Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.

Authentication Bypass Gitlab Privilege Escalation Information Disclosure Denial Of Service
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-4320 CRITICAL PATCH Act Now

Authorization bypass in Creartia's ICMS content management system allows remote unauthenticated attackers to gain unauthorized access to protected features and escalate privileges by manipulating HTTP redirect headers during the login process. The vulnerability has a CVSS 9.3 score and vendor patches are available through INCIBE advisory.

Authentication Bypass Privilege Escalation Icms Content Management
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-41085 HIGH This Week

Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrator-level privileges through exploitation of specific system interfaces.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8719 HIGH This Week

Authenticated attackers can escalate privileges to Administrator in AI Engine WordPress plugin version 3.4.9 through improper authorization in the MCP OAuth bearer-token implementation. The plugin accepts any valid OAuth token for Model Context Protocol (MCP) access without verifying administrator privileges, allowing low-privileged users (Subscriber+) to execute admin-level MCP tools. No public exploit or active exploitation identified at time of analysis.

WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2020-37247 HIGH POC This Week

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37232 HIGH POC This Week

Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Advanced System Care Service
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37230 HIGH POC This Week

Syncplify.me Server!. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Syncplify Me Server
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37229 HIGH POC This Week

OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service that allows local attackers to escalate privileges by inserting executable files into the. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Oki Spsv Port Manager
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45717 npm HIGH PATCH GHSA This Week

Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.

Authentication Bypass PostgreSQL Privilege Escalation SSRF Command Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46333 HIGH POC PATCH CISA Act Now

Local privilege escalation in the Linux kernel ptrace subsystem allows authenticated users to bypass the traditional capability-dropping security model when accessing kernel thread details via PTRACE_MODE_READ_FSCREDS checks. The flaw stems from get_dumpable() logic returning misleading values for tasks without an associated memory map (mm), enabling uid-0 processes that have dropped capabilities to still read sensitive kernel thread information. Publicly available exploit code exists (referenced in OSS-security and a GitHub PoC against ssh-keysign), though EPSS scoring (0.02%) indicates low likelihood of widespread exploitation.

Privilege Escalation Linux
NVD VulDB GitHub
CVSS 3.1
7.1
EPSS
0.0%
Threat
4.9
CVE-2026-41962 LOW Monitor

HarmonyOS app management and control module permits local privilege escalation through improper permission controls, allowing unauthenticated local attackers with user interaction to access confidential service data. CVSS 3.6 (low severity) reflects local-only attack vector and requirement for user interaction, though the privilege escalation nature means affected systems warrant review for deployment context.

Privilege Escalation
NVD
CVSS 3.1
3.6
EPSS
0.0%
CVE-2026-6228 HIGH This Week

Privilege escalation in Frontend Admin by DynamiApps plugin allows authenticated attackers with editor-level access to elevate privileges to administrator. The vulnerability exists due to insufficient authorization checks when configuring user role options in edit_user forms combined with overly permissive capabilities on the admin_form post type. Attackers can bypass UI restrictions by directly manipulating POST data to include 'administrator' in role_options, then use the crafted form to assign themselves administrator privileges. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring only low privileges (editor account). No public exploit code identified at time of analysis, though the attack chain is straightforward for authenticated users. EPSS data not provided, but the technical barrier is minimal once editor access is obtained.

Privilege Escalation PHP WordPress
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41702 HIGH PATCH This Week

Local privilege escalation in VMware Fusion allows authenticated users with non-administrative privileges to gain root access by exploiting a TOCTOU race condition in a SETUID binary. The vulnerability requires local access and low attack complexity (CVSS:3.1 AV:L/AC:L/PR:L), enabling complete system compromise on macOS hosts running affected Fusion versions. EPSS and KEV status data not available; exploitation requires existing local user access but can bypass all privilege boundaries once triggered.

VMware Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-54518 HIGH PATCH This Week

Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation.

Privilege Escalation Amd Epyc 7002 Series Processors Amd Ryzen 4000 Series Mobile Processors With Radeon Graphics Amd Ryzen 7020 Series Processors With Radeon Graphics Amd Ryzen 3000 Series Desktop Processors +8
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2024-36333 HIGH This Week

A DLL hijacking vulnerability in the AMD Cleanup Utility could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Amd
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-48516 MEDIUM This Month

DDR5 memory modules in multiple AMD Ryzen processor families contain an insecure default PMIC (Power Management Integrated Circuit) interface configuration that allows local users with standard privileges to cause permanent denial of service or corrupt memory module integrity via unprotected firmware access. The vulnerability affects Ryzen 4000, 7000, 7020, 7030, 7035, 7040, 7045 series processors and Threadripper Pro 3000 WX-series, requiring local system access but no special privileges or user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.

Privilege Escalation Denial Of Service Amd Ryzen 4000 Series Mobile Processors With Radeon Graphics Amd Ryzen 7035 Series Processors With Radeon Graphics Amd Athlon 3000 Series Mobile Processors With Radeon Graphics +30
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-7373 HIGH This Week

Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.

Privilege Escalation Microsoft PostgreSQL OpenSSL
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2024-21962 HIGH This Week

Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Amd RCE
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-29936 HIGH This Week

Local privilege escalation in AMD Platform Management Framework (PMF) allows authenticated attackers with low privileges to unmap arbitrary memory pages, potentially executing code with elevated privileges or triggering system crashes. Affects modern AMD Ryzen mobile processors across multiple generations (6000/7000/8000/AI 300 series, embedded variants). The vulnerability enables both horizontal escalation (confidentiality compromise via changed scope in CVSS 4.0) and vertical impact (integrity/availability degradation). No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity makes this exploitable by malware or malicious insiders once system access is obtained. EPSS data not available for risk calibration.

Privilege Escalation Amd
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-52540 HIGH This Week

Out-of-bounds write in the AMD Platform Management Framework (PMF) Driver enables local authenticated users to escalate privileges on AMD Ryzen 6000/7000/8000 series processors. The vulnerability stems from improper input validation (CWE-787) allowing memory corruption beyond allocated buffer boundaries. Exploitation requires low-privilege local access with low attack complexity (CVSS 4.0: AV:L/AC:L/PR:L), making this a realistic post-compromise escalation vector. AMD released chipset driver version 7.06.02.123 addressing all affected Ryzen series. No public exploit or active exploitation confirmed at time of analysis.

Privilege Escalation Amd Memory Corruption Buffer Overflow
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-48519 HIGH This Week

Out-of-bounds read/write in AMD Platform Management Framework (PMF) driver allows local authenticated users to escalate privileges on Ryzen 6000/7000/8000 series processors. AMD has released patched chipset software version 7.06.02.123 addressing the improper input validation vulnerability. No public exploit code identified and CISA has not added this to KEV, indicating exploitation is not yet confirmed in real-world attacks despite the high CVSS score. Attackers must already have local system access with standard user privileges to exploit this vulnerability.

Privilege Escalation Amd Memory Corruption Buffer Overflow
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-0432 HIGH This Week

Insecure installation directory permissions in AMD chipset driver allow local authenticated attackers to achieve SYSTEM-level privilege escalation and execute arbitrary code. The vulnerability affects nearly all AMD Ryzen, Threadripper, EPYC, and Athlon processors across desktop, mobile, embedded, and server product lines. AMD has released patched chipset driver versions 8.01.20.513 (consumer/workstation) and 8.03.14.329/8.03.16.641 (server). No active exploitation confirmed at time of analysis, but the local vector and low attack complexity make this exploitable by any authenticated Windows user, including standard users without admin rights.

Privilege Escalation Amd RCE
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-48512 HIGH This Week

Privilege escalation in AMD GPIO controller driver for Windows allows authenticated local users with low privileges to execute arbitrary code with elevated rights via insecure directory permissions. Affects nearly the entire AMD processor portfolio from Ryzen 3000-series through latest EPYC 9005 and Ryzen AI 300. AMD has released patched chipset drivers (version 7.04.09.545 for most desktop/mobile products, 8.03.16.641 for server platforms) addressing the vulnerability. EPSS score and KEV status not provided in source data, but the local attack vector and user interaction requirement limit remote exploitation risk despite the 7.0 CVSS score.

Privilege Escalation Amd RCE
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-45675 PyPI HIGH PATCH GHSA This Week

Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).

Privilege Escalation Python
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-45665 npm HIGH PATCH GHSA This Week

Stored XSS in Open WebUI Banner component enables privilege escalation from compromised admin to Super Admin. A malicious administrator can inject markdown-based JavaScript payloads (e.g., `[text](javascript:...)`) that bypass DOMPurify sanitization due to incorrect sanitizer-parser execution order in Banner.svelte:103. When the Super Admin views the global banner and clicks the crafted link, their session token is exfiltrated to the attacker. Vendor-released patch available in v0.8.0 (2026-02-12) reversing sanitization order to `DOMPurify.sanitize(marked.parse(...))`. CVSS 8.1 (High) with Network vector, Low complexity, but requires High privileges (admin) and User interaction (click). No KEV listing or EPSS data available; publicly disclosed POC with detailed reproduction steps.

XSS Privilege Escalation
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45399 PyPI HIGH PATCH GHSA This Week

Broken object-level authorization in Open WebUI allows any authenticated low-privilege user to enumerate and terminate background tasks belonging to other users via GET /api/tasks and POST /api/tasks/stop/{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.

Authentication Bypass Redis Privilege Escalation Python
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45395 npm HIGH PATCH GHSA This Week

Privilege escalation in Open WebUI allows authenticated users with 'write' access grants on tools to execute arbitrary server-side Python code without the required workspace.tools permission. The tool update endpoint (POST /api/v1/tools/id/{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.

Microsoft Python RCE Privilege Escalation Docker
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-45316 PyPI LOW PATCH GHSA Monitor

Open WebUI versions up to 0.9.2 allow users with read-only access to shared notes to toggle the pin status via the POST /api/v1/notes/{id}/pin endpoint, which incorrectly checks for read permission instead of write permission. This privilege escalation enables read-only users to perform a write operation (toggling is_pinned state) that should be restricted to users with explicit write access. The vulnerability is limited to the pin operation and does not permit modification of note content, title, or access grants. Publicly available proof-of-concept demonstrates the bypass across all shared notes with read access.

Authentication Bypass Python Privilege Escalation
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-8557 HIGH PATCH This Week

Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Use After Free Memory Corruption Privilege Escalation Google +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8547 HIGH PATCH This Week

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Privilege Escalation Microsoft Google Red Hat +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8629 HIGH PATCH This Week

Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.

Authentication Bypass Privilege Escalation Crabbox
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-27680 LOW Monitor

CSS injection in SAP NetWeaver Application Server ABAP allows unauthenticated remote attackers to inject malicious Cascading Style Sheets into web pages served by the application, with exploitation requiring user interaction (clicking or accessing the affected page). The injected CSS executes in the victim's browser context, resulting in low-impact confidentiality loss; integrity and availability are not affected. CVSS 3.1 reflects the limited impact and high attack complexity required.

Privilege Escalation SAP
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
EPSS 0% CVSS 8.6
HIGH POC This Week

Splinterware System Scheduler Pro 5.12 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by modifying service executable files. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Splinterware System Scheduler Pro
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

A security vulnerability has been identified in Acer Care Center where the ACCSvc service creates a Named Pipe with a weak Security Descriptor. This vulnerability allows an authenticated local user to connect and send a specially crafted message (message type 0x03) to the pipe, causing the service to crash with exit code 1067 (ERROR_PROCESS_ABORTED). To mitigate this potential local service disruption, Acer requires users to update the software to the latest version.

Privilege Escalation Care Center
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

Microsoft Path Traversal RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the WishList Member WordPress plugin (versions through 3.30.1) allows authenticated subscriber-level attackers to extract the plugin's plaintext REST API Secret Key and use it to create administrator accounts, resulting in full site takeover. The flaw is reachable via a single AJAX call (ajax_get_screen) that lacks capability and nonce checks. No public exploit identified at time of analysis, but the attack path is fully described in the Wordfence advisory and requires only low-privileged authenticated access.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Wishlist Member WordPress plugin (versions through 3.30.1) allows any authenticated user with Subscriber-level access or higher to update arbitrary plugin options, including the REST API Secret Key, leading to full site takeover. The flaw stems from a missing capability check in the Team_Accounts::save_settings function, and although no public exploit identified at time of analysis, the low authentication bar and chained admin-account creation path make it a high-priority risk on any WordPress site that permits public registration.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the WishList Member WordPress plugin versions up to 3.30.1 allows authenticated low-privilege users to obtain the REST API Secret Key via the unprotected 'export_settings' AJAX endpoint and leverage it to register arbitrary administrator accounts. The CVSS 8.8 (High) rating reflects full confidentiality, integrity, and availability impact, and while no public exploit is identified at time of analysis, the discovery by Wordfence - a major WordPress security vendor - typically precedes broader exploitation against the large WordPress plugin ecosystem.

WordPress Information Disclosure Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Wishlist Member WordPress plugin (versions ≤3.30.1) allows authenticated Subscriber-level users to overwrite the plugin's REST API Secret Key and abuse it to create administrator accounts, leading to full site takeover. The flaw stems from a missing capability check on the generate_api_key hook handler. No public exploit identified at time of analysis, though Wordfence has published a threat-intel advisory.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 7.5
HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Entra ID (formerly Azure AD), specifically affecting Microsoft Global Secure Access (GSA), allows remote unauthenticated attackers to gain elevated privileges over the network. The CVSS 7.5 rating reflects high confidentiality impact with no required authentication or user interaction, though no public exploit has been identified at time of analysis. The vector points to a flaw in how identity or access tokens are evaluated, which is particularly sensitive given Entra ID's role as a primary IAM backbone for Microsoft 365 and Azure tenants.

Microsoft Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Privilege escalation in authentik identity provider versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2 allows an authenticated user holding the change_user permission to assign arbitrary groups - including superuser groups - to any target user via the PATCH /api/v3/core/users/{pk}/ endpoint. The UserSerializer skips the enable_group_superuser check enforced in the dedicated group-management paths, letting delegated user-management roles promote themselves or others to administrator-equivalent privilege. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the trivial attack mechanics (a single PATCH request) make weaponization straightforward for any tenant that has delegated user administration.

Privilege Escalation Authentik
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.

XSS Privilege Escalation Typebot Io
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Privilege escalation in Go's golang.org/x/net/idna package (all versions before 0.55.0) stems from ToASCII and ToUnicode accepting Punycode labels that decode to an ASCII-only label, so ToUnicode("xn--example-.com") returns "example.com" instead of an error. Applications that perform authorization checks on an ASCII hostname and then convert it to Unicode can be tricked into permitting a name that the direct check would have rejected. This is a library-level flaw (CVSS 9.6, scope-changed) reported by the Go team; there is no public exploit identified at time of analysis and EPSS is very low (0.04%, 14th percentile).

Privilege Escalation Golang Org X Net Idna
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH This Week

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

XSS Privilege Escalation Concrete Cms
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate directory contents, potentially revealing sensitive files, configuration data, or internal path structures. Both the Appliance and Rack deployment forms are confirmed affected per Dell advisories DSA-2025-434 and DSA-2025-435. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the combination of Information Disclosure and Privilege Escalation tags suggests the exposed directory contents may facilitate further privilege escalation beyond initial information leakage.

Dell Information Disclosure Privilege Escalation +3
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.

WordPress Privilege Escalation Elementor
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Concrete CMS 9.5.0 and earlier allows authenticated users with access to the bulk user assignment dashboard to add arbitrary accounts to the Administrators group and remove existing admins, effectively hijacking site control. The flaw stems from missing authorization checks in bulk_user_assignment.php and was disclosed with a vendor-assigned CVSS v4.0 score of 7.5. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

PHP Authentication Bypass Privilege Escalation
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in LiteLLM proxy versions prior to 1.83.14 allows an authenticated internal_user to elevate to proxy_admin by generating an API key with an attacker-controlled allowed_routes field that grants access to admin-only endpoints. Because the key-generation handler did not verify that the requested routes fell within the caller's own role permissions, the resulting key successfully reaches admin routes and bypasses role-based access control. Publicly available exploit code exists via a Huntr bounty disclosure and gist, and the upstream commits are merged in the v1.83.14-stable release.

Authentication Bypass Privilege Escalation Litellm
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Fission (Kubernetes serverless framework) versions <= 1.22.0 allows any user able to deploy or update a Function CRD to read every Secret and ConfigMap in the runtime namespace, bypassing the Function.spec.secrets allowlist. The flaw stems from runtime pods running under the namespace-privileged fission-fetcher ServiceAccount whose automounted token is reachable by the user-code container alongside the fetcher sidecar. No public exploit identified at time of analysis, but the vendor-issued advisory (GHSA-85g2-pmrx-r49q) describes a trivially reachable abuse path once a function can be deployed.

Kubernetes Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in samlify (Node.js SAML library) versions prior to 2.13.0 allows authenticated users to inject arbitrary XML markup into signed SAML assertions because template substitution only escapes attribute contexts, not element text. An attacker with a valid account can supply crafted values in user-controlled fields (e.g., email) that close the AttributeValue element and inject additional saml:Attribute elements (such as role=admin), which the IdP then signs and the SP accepts as trusted. No public exploit identified at time of analysis beyond the vendor-published PoC in the GHSA advisory.

Node.js Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileged code execution to win a race condition in the endpoint protection agent and elevate to higher privileges. The flaw is a time-of-check time-of-use (TOCTOU) weakness (CWE-367) in the Apex One/SEP agent on Windows endpoints, with no public exploit identified at time of analysis and not currently listed in CISA KEV. The vendor has published advisory KA-0023430 with fixed builds.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user to elevate to higher privileges by abusing an origin validation flaw in one of the agent's process protection communication mechanisms. No public exploit identified at time of analysis, but the vulnerability is companion to CVE-2026-45206 in a parallel code path, which suggests the underlying class of issue is actively being researched by Trend Micro's own team.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate to higher privileges by abusing an origin validation weakness (CWE-346) in one of the agent's process protection communication mechanisms. The flaw is a sibling issue to CVE-2026-45207 affecting a different IPC channel and is reported by Trend Micro itself; no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (CWE-346) in one of the agent's process protection mechanisms, allowing a low-privileged local attacker to elevate to SYSTEM-level privileges on affected installations. The flaw was reported by Trend Micro itself and is a sibling issue to CVE-2026-34927, which affects a different process protection mechanism in the same agent. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileged code execution to gain elevated rights by exploiting weak origin validation in an inter-process communication channel. No public exploit identified at time of analysis, but the flaw is a sibling to CVE-2026-34927 (different IPC mechanism in the same agent) which raises the likelihood of researcher and adversary interest. Vendor patches are available for both the on-prem 2019 (14.0) line and the SaaS offering.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged attacker who already has code execution on the endpoint to elevate to higher privileges by abusing a named pipe that fails to validate the origin of incoming connections. The flaw is companion to CVE-2026-34927 (a sibling issue in a different named pipe) and currently has no public exploit identified at time of analysis, but its presence in widely-deployed endpoint security software materially raises post-compromise risk.

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privileged user already executing code on the host to elevate to higher privileges by abusing an origin validation weakness in the security agent. The flaw carries a CVSS 7.8 (local, low complexity) and no public exploit identified at time of analysis, but because the agent typically runs with SYSTEM-level rights, successful exploitation yields full host compromise. Trend Micro has issued patched builds (KA-0023430).

Privilege Escalation Trendai Apex One Trendai Apex One As A Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH HOSTED Monitor

An origin validation error vulnerability in the Trend Micro Apex One (mac) agent self-protection mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).

Trend Micro Privilege Escalation
NVD
EPSS 0% CVSS 7.8
HIGH HOSTED Monitor

A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).

Trend Micro Privilege Escalation
NVD
EPSS 0% CVSS 7.0
HIGH HOSTED Monitor

A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).

Trend Micro Privilege Escalation
NVD
EPSS 0% CVSS 7.8
HIGH HOSTED Monitor

An origin validation error vulnerability in the Trend Micro Apex One (mac) agent iCore service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).

Trend Micro Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation error (CWE-346) that lets an authenticated low-privileged attacker elevate to higher privileges on the host. Trend Micro has released fixed builds and ZDI has published an advisory (ZDI-26-140); no public exploit identified at time of analysis, though vendor-reported vulnerabilities in endpoint security agents are frequent targets for post-compromise attackers.

Trend Micro Privilege Escalation
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Trend Micro Apex One scan engine allows low-privileged users on Windows endpoints to gain elevated privileges by abusing a link-following weakness (CWE-59) in the scanner's file-handling logic. The flaw affects on-premise Apex One 2019 builds prior to 14.0.0.14136 and the SaaS edition prior to 14.0.20315, with a patch available from Trend Micro; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Trend Micro Privilege Escalation
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the Divi Form Builder WordPress plugin (versions ≤5.1.2) allows unauthenticated remote attackers to register administrator accounts by submitting a tampered 'role' parameter in the registration POST body. The plugin trusts the client-supplied role value instead of enforcing the form's configured default_user_role, yielding full WordPress site takeover. No public exploit identified at time of analysis, but the CVSS 9.8 score and trivial exploitability make this a high-priority patch for any site running the plugin with public registration forms.

WordPress Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.

Privilege Escalation Freebsd
NVD VulDB
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features.

Privilege Escalation Redis
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low-privileged users over the network. Affected versions span the 2025.0.x line before 2025.0.11 and the 2025.1.x line before 2025.1.7. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates that any network-accessible instance running a vulnerable version can be exploited by a legitimately authenticated user with minimal privileges, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Information Disclosure Privilege Escalation Moveit Automation
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Rsync daemon (versions ≤ 3.4.2) is possible via a TOCTOU symlink race when the daemon is configured with 'use chroot = no'. An authenticated local attacker with write access to a module can swap a parent directory component for a symlink between the receiver's path check and its open() call, redirecting writes outside the module and overwriting sensitive files. No public exploit identified at time of analysis, but the upstream patch in release 3.4.3 and a detailed VulnCheck advisory disclose the precise race window.

Privilege Escalation Rsync
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Read More & Accordion WordPress plugin (versions up to and including 3.5.7) allows authenticated low-privileged users granted import rights through the plugin's role settings to write arbitrary rows into the wp_users and wp_usermeta tables, effectively creating a new administrator account. The flaw stems from the RadMoreAjax::importData function failing to restrict target database tables and to validate imported data. No public exploit identified at time of analysis, though the vulnerability was disclosed by Wordfence threat intelligence researchers.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

WordPress PHP Authentication Bypass +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the Easy Elements for Elementor WordPress plugin (versions up to and including 1.4.4) allows unauthenticated remote attackers to register accounts with the 'administrator' role, granting full site takeover. The flaw exists in the 'easyel_handle_register' function which fails to validate or restrict the user role parameter submitted during registration. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward.

WordPress Privilege Escalation Elementor
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in haveged (HArdware Volatile Entropy Gathering and Expansion Daemon) allows authenticated low-privileged users to escalate to root via the daemon's command socket, which is affected by missing authentication for a critical function (CWE-305). The flaw was disclosed on the oss-security mailing list on 2026-05-20 by Jiri Hladky, with vendor patches available from SUSE and tracking in Debian (bug#1137096); no public exploit identified at time of analysis.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in CtrlPanel hosting billing software (versions ≤1.1.1) allows any authenticated low-privilege user to invoke admin write endpoints because store()/update() controller methods omit the RBAC permission checks present on their corresponding form-display methods. Successful exploitation yields effective admin control over API credentials, coupons, vouchers, partner commissions, shop pricing, server ownership, and user accounts (including roles, credits, passwords, and Pterodactyl linkages). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.

PHP XSS Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation in Broadcom Automic Automation Agent versions prior to 24.4.4 HF1 allows authenticated low-privileged users on Unix-family systems (Linux x64, Linux Power 64 BE/LE, zLinux, AIX, Solaris x64, Solaris Sparc 64) to abuse the agent's elevated privileges and target programs running with higher rights. The CVSS 4.0 score of 8.5 reflects high confidentiality, integrity, and availability impact achievable from a local foothold, with no public exploit identified at time of analysis.

Broadcom Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-tenant DNS and TLS poisoning in Windmill versions prior to 1.703.2 allows authenticated low-privilege users to write to /etc/hosts, /etc/resolv.conf, and the system CA bundle from inside nsjail script sandboxes, persisting tampered state across every subsequent job on the same worker pod. Because poisoned entries survive between executions, attackers can hijack hostname resolution, perform transparent HTTPS man-in-the-middle, and steal WM_TOKEN JWTs to escalate to workspace-admin in other tenants. Publicly available exploit code exists per SSVC (poc), and CVSS 4.0 rates this 8.6 with high confidentiality and integrity impact.

Privilege Escalation Windmill
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Missing Redis cache invalidation in Budibase's public API role unassignment endpoint allows users with revoked admin, builder, or app-level privileges to retain full access for up to 1 hour (the hardcoded Redis TTL of 3600 seconds). Affected deployments are Budibase versions prior to 3.38.2 running an enterprise license, where the `POST /api/public/v1/roles/unassign` endpoint writes revocations to CouchDB but never calls `cache.user.invalidateUser()`, leaving the authentication middleware to serve stale permissions from Redis. Publicly available exploit code exists within the GHSA-6vp2-6r7m-2jvx advisory; no confirmed active exploitation (not listed in CISA KEV at time of analysis).

Redis Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.

Kubernetes XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Mozilla Firefox's WebRTC Audio/Video component allows remote attackers to elevate privileges within the browser context when a user is lured into interacting with a malicious page. The flaw carries a CVSS 8.8 with required user interaction and was addressed in Firefox 151; no public exploit identified at time of analysis and EPSS exploitation probability sits at 0.03% (8th percentile).

Mozilla Privilege Escalation Suse +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Mozilla Firefox's Security component allows remote attackers to elevate privileges within the browser when a victim interacts with attacker-controlled content, affecting Firefox versions prior to 151 and Firefox ESR prior to 140.11. With CVSS 8.8 (high) and user interaction required, exploitation is plausible via malicious web content, though EPSS sits at just 0.04% (12th percentile) and no public exploit identified at time of analysis. SSVC rates exploitation as 'none' but flags the issue as automatable with partial technical impact, suggesting concerning scalability if a working exploit emerges.

Mozilla Privilege Escalation Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in the Enterprise Policies component of Mozilla Firefox affects versions prior to Firefox 151 and Firefox ESR 140.11, allowing remote attackers who can convince a user to interact with crafted content to elevate privileges within the browser. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.03% (9th percentile). The vulnerability requires user interaction per the CVSS vector, which somewhat constrains real-world weaponization despite the high 8.8 CVSS score.

Mozilla Privilege Escalation Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Mozilla Firefox's DOM Workers component allows remote attackers to elevate privileges within the browser when a victim interacts with a malicious web page. Affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.03% (9th percentile).

Mozilla Privilege Escalation Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Mozilla Firefox via the Application Update component allows remote attackers to gain elevated privileges when a user interacts with malicious content, fixed in Firefox 151. The flaw carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R) and is categorized under CWE-269 (Improper Privilege Management). There is no public exploit identified at time of analysis, and EPSS estimates only a 0.03% probability of exploitation in the next 30 days.

Mozilla Privilege Escalation Suse +1
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege escalation in OPPO's O+ Connect application stems from missing caller identity validation on a named pipe interface (CWE-266), allowing a low-privileged local user with user interaction to escalate to higher privileges with high availability impact and scope change. The CVSS 3.1 score is 7.3 and the issue was reported by OPPO itself; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Privilege Escalation O Connect
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Mullvad VPN for macOS versions 2026.1 and earlier allows a user in the admin group to gain root code execution during installation or upgrade. The installer's preinstall script executes binaries from /Applications/Mullvad VPN.app without verifying the bundle's integrity, enabling an admin-group attacker to pre-stage a malicious app bundle that runs as root. No public exploit identified at time of analysis, and the flaw is only triggerable when an installer is run, not on already-installed systems.

Privilege Escalation Apple RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Server-side request forgery in scalar/astro v0.1.13 allows remote unauthenticated attackers to coerce the backend into making HTTP requests to attacker-controlled destinations via the scalar_url query parameter of the Scalar Proxy endpoint. Exploitation can expose authentication cookies and headers forwarded by the proxy, enabling account takeover and potential privilege escalation. Publicly available exploit code exists, though EPSS is low (0.03%) suggesting limited mass exploitation at this time.

Privilege Escalation SSRF N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in LalanaChami Pharmacy Management System (commit 5c3d028) allows any remote unauthenticated attacker to register a new account with administrator privileges by simply including a role parameter in the signup request body. The /api/user/signup endpoint trusts client-supplied role values without server-side validation, granting full administrative access in a single HTTP call. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the trivial nature of the flaw means weaponization is straightforward once anyone notices the gist already documenting the issue.

Privilege Escalation N A
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to C:\ProgramData\Portrait Displays\CW\data\i1D3\ while running with elevated privileges. Because the installer does not properly validate symbolic links or reparse points at the destination path, an attacker can create a malicious link that redirects the write operation to an arbitrary system location, enabling arbitrary file creation or overwrite with elevated privileges.

Microsoft Dell Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in self-hosted Budibase (@budibase/worker < 3.38.1) allows any authenticated builder-level user to create a global admin account via the POST /api/global/users/onboard endpoint when SMTP is not configured, with the generated password returned directly in the HTTP response. The flaw stems from the onboard route being gated by builderOrAdmin middleware while exposing the same user-creation power as the admin-only invite endpoints, and no public exploit is identified at time of analysis although the GHSA advisory includes a complete, working proof-of-concept curl chain.

Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.

Privilege Escalation PHP RCE +2
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.

Authentication Bypass Gitlab Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authorization bypass in Creartia's ICMS content management system allows remote unauthenticated attackers to gain unauthorized access to protected features and escalate privileges by manipulating HTTP redirect headers during the login process. The vulnerability has a CVSS 9.3 score and vendor patches are available through INCIBE advisory.

Authentication Bypass Privilege Escalation Icms Content Management
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrator-level privileges through exploitation of specific system interfaces.

Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated attackers can escalate privileges to Administrator in AI Engine WordPress plugin version 3.4.9 through improper authorization in the MCP OAuth bearer-token implementation. The plugin accepts any valid OAuth token for Model Context Protocol (MCP) access without verifying administrator privileges, allowing low-privileged users (Subscriber+) to execute admin-level MCP tools. No public exploit or active exploitation identified at time of analysis.

WordPress Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Advanced System Care Service
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH POC This Week

Syncplify.me Server!. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Syncplify Me Server
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH POC This Week

OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service that allows local attackers to escalate privileges by inserting executable files into the. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Oki Spsv Port Manager
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.

Authentication Bypass PostgreSQL Privilege Escalation +2
NVD GitHub VulDB
EPSS 0% 4.9 CVSS 7.1
HIGH POC PATCH Act Now

Local privilege escalation in the Linux kernel ptrace subsystem allows authenticated users to bypass the traditional capability-dropping security model when accessing kernel thread details via PTRACE_MODE_READ_FSCREDS checks. The flaw stems from get_dumpable() logic returning misleading values for tasks without an associated memory map (mm), enabling uid-0 processes that have dropped capabilities to still read sensitive kernel thread information. Publicly available exploit code exists (referenced in OSS-security and a GitHub PoC against ssh-keysign), though EPSS scoring (0.02%) indicates low likelihood of widespread exploitation.

Privilege Escalation Linux
NVD VulDB GitHub
EPSS 0% CVSS 3.6
LOW Monitor

HarmonyOS app management and control module permits local privilege escalation through improper permission controls, allowing unauthenticated local attackers with user interaction to access confidential service data. CVSS 3.6 (low severity) reflects local-only attack vector and requirement for user interaction, though the privilege escalation nature means affected systems warrant review for deployment context.

Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Frontend Admin by DynamiApps plugin allows authenticated attackers with editor-level access to elevate privileges to administrator. The vulnerability exists due to insufficient authorization checks when configuring user role options in edit_user forms combined with overly permissive capabilities on the admin_form post type. Attackers can bypass UI restrictions by directly manipulating POST data to include 'administrator' in role_options, then use the crafted form to assign themselves administrator privileges. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring only low privileges (editor account). No public exploit code identified at time of analysis, though the attack chain is straightforward for authenticated users. EPSS data not provided, but the technical barrier is minimal once editor access is obtained.

Privilege Escalation PHP WordPress
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in VMware Fusion allows authenticated users with non-administrative privileges to gain root access by exploiting a TOCTOU race condition in a SETUID binary. The vulnerability requires local access and low attack complexity (CVSS:3.1 AV:L/AC:L/PR:L), enabling complete system compromise on macOS hosts running affected Fusion versions. EPSS and KEV status data not available; exploitation requires existing local user access but can bypass all privilege boundaries once triggered.

VMware Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation.

Privilege Escalation Amd Epyc 7002 Series Processors Amd Ryzen 4000 Series Mobile Processors With Radeon Graphics +10
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

A DLL hijacking vulnerability in the AMD Cleanup Utility could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Amd
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

DDR5 memory modules in multiple AMD Ryzen processor families contain an insecure default PMIC (Power Management Integrated Circuit) interface configuration that allows local users with standard privileges to cause permanent denial of service or corrupt memory module integrity via unprotected firmware access. The vulnerability affects Ryzen 4000, 7000, 7020, 7030, 7035, 7040, 7045 series processors and Threadripper Pro 3000 WX-series, requiring local system access but no special privileges or user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.

Privilege Escalation Denial Of Service Amd Ryzen 4000 Series Mobile Processors With Radeon Graphics +32
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.

Privilege Escalation Microsoft PostgreSQL +1
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Amd RCE
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in AMD Platform Management Framework (PMF) allows authenticated attackers with low privileges to unmap arbitrary memory pages, potentially executing code with elevated privileges or triggering system crashes. Affects modern AMD Ryzen mobile processors across multiple generations (6000/7000/8000/AI 300 series, embedded variants). The vulnerability enables both horizontal escalation (confidentiality compromise via changed scope in CVSS 4.0) and vertical impact (integrity/availability degradation). No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity makes this exploitable by malware or malicious insiders once system access is obtained. EPSS data not available for risk calibration.

Privilege Escalation Amd
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Out-of-bounds write in the AMD Platform Management Framework (PMF) Driver enables local authenticated users to escalate privileges on AMD Ryzen 6000/7000/8000 series processors. The vulnerability stems from improper input validation (CWE-787) allowing memory corruption beyond allocated buffer boundaries. Exploitation requires low-privilege local access with low attack complexity (CVSS 4.0: AV:L/AC:L/PR:L), making this a realistic post-compromise escalation vector. AMD released chipset driver version 7.06.02.123 addressing all affected Ryzen series. No public exploit or active exploitation confirmed at time of analysis.

Privilege Escalation Amd Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Out-of-bounds read/write in AMD Platform Management Framework (PMF) driver allows local authenticated users to escalate privileges on Ryzen 6000/7000/8000 series processors. AMD has released patched chipset software version 7.06.02.123 addressing the improper input validation vulnerability. No public exploit code identified and CISA has not added this to KEV, indicating exploitation is not yet confirmed in real-world attacks despite the high CVSS score. Attackers must already have local system access with standard user privileges to exploit this vulnerability.

Privilege Escalation Amd Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Insecure installation directory permissions in AMD chipset driver allow local authenticated attackers to achieve SYSTEM-level privilege escalation and execute arbitrary code. The vulnerability affects nearly all AMD Ryzen, Threadripper, EPYC, and Athlon processors across desktop, mobile, embedded, and server product lines. AMD has released patched chipset driver versions 8.01.20.513 (consumer/workstation) and 8.03.14.329/8.03.16.641 (server). No active exploitation confirmed at time of analysis, but the local vector and low attack complexity make this exploitable by any authenticated Windows user, including standard users without admin rights.

Privilege Escalation Amd RCE
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Privilege escalation in AMD GPIO controller driver for Windows allows authenticated local users with low privileges to execute arbitrary code with elevated rights via insecure directory permissions. Affects nearly the entire AMD processor portfolio from Ryzen 3000-series through latest EPYC 9005 and Ryzen AI 300. AMD has released patched chipset drivers (version 7.04.09.545 for most desktop/mobile products, 8.03.16.641 for server platforms) addressing the vulnerability. EPSS score and KEV status not provided in source data, but the local attack vector and user interaction requirement limit remote exploitation risk despite the 7.0 CVSS score.

Privilege Escalation Amd RCE
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).

Privilege Escalation Python
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Stored XSS in Open WebUI Banner component enables privilege escalation from compromised admin to Super Admin. A malicious administrator can inject markdown-based JavaScript payloads (e.g., `[text](javascript:...)`) that bypass DOMPurify sanitization due to incorrect sanitizer-parser execution order in Banner.svelte:103. When the Super Admin views the global banner and clicks the crafted link, their session token is exfiltrated to the attacker. Vendor-released patch available in v0.8.0 (2026-02-12) reversing sanitization order to `DOMPurify.sanitize(marked.parse(...))`. CVSS 8.1 (High) with Network vector, Low complexity, but requires High privileges (admin) and User interaction (click). No KEV listing or EPSS data available; publicly disclosed POC with detailed reproduction steps.

XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken object-level authorization in Open WebUI allows any authenticated low-privilege user to enumerate and terminate background tasks belonging to other users via GET /api/tasks and POST /api/tasks/stop/{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.

Authentication Bypass Redis Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Open WebUI allows authenticated users with 'write' access grants on tools to execute arbitrary server-side Python code without the required workspace.tools permission. The tool update endpoint (POST /api/v1/tools/id/{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.

Microsoft Python RCE +2
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Open WebUI versions up to 0.9.2 allow users with read-only access to shared notes to toggle the pin status via the POST /api/v1/notes/{id}/pin endpoint, which incorrectly checks for read permission instead of write permission. This privilege escalation enables read-only users to perform a write operation (toggling is_pinned state) that should be restricted to users with explicit write access. The vulnerability is limited to the pin operation and does not permit modification of note content, title, or access grants. Publicly available proof-of-concept demonstrates the bypass across all shared notes with read access.

Authentication Bypass Python Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Privilege Escalation Microsoft +4
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.

Authentication Bypass Privilege Escalation Crabbox
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

CSS injection in SAP NetWeaver Application Server ABAP allows unauthenticated remote attackers to inject malicious Cascading Style Sheets into web pages served by the application, with exploitation requiring user interaction (clicking or accessing the affected page). The injected CSS executes in the victim's browser context, resulting in low-impact confidentiality loss; integrity and availability are not affected. CVSS 3.1 reflects the limited impact and high attack complexity required.

Privilege Escalation SAP
NVD VulDB
Prev Page 7 of 148 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy