Privilege Escalation

Tanium addressed an improper input validation vulnerability in Tanium Appliance. [CVSS 2.7 LOW]

Bootloader menu access in Moxa UC series industrial computers can be obtained by attackers with physical access using a device-unique password, potentially enabling temporary denial-of-service through firmware reflashing. The vulnerability is constrained by bootloader signature verification that prevents installation of unsigned firmware or arbitrary code execution. No patch is currently available for affected Linux and UC firmware versions.

Multiple stored XSS vulnerabilities in Axigen Mail Server before 10.5.57 WebAdmin interface allow authenticated administrators to inject persistent malicious scripts that execute in other admin sessions.

Insecure folder permissions in MEmu Play 7.1.3 Android emulator allow low-privileged users to modify application binaries, enabling privilege escalation to SYSTEM. PoC available.

Central Authentication System Server versions up to 2.0.3 contains a security vulnerability (CVSS 4.2).

The Microsoft Entra ID SSO Login module for Drupal before version 1.0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to escalate privileges through an alternate authentication channel. An attacker can exploit this flaw to gain unauthorized access with elevated permissions on affected Drupal installations. No patch is currently available, and the vulnerability has low exploit probability (EPSS 0.1%).

The Drupal Role Delegation module versions 1.3.0 through 1.5.0 contains an unsafe privilege definition vulnerability that permits authenticated users with delegation permissions to escalate their privileges within the application. An attacker with limited account access could exploit this flaw to gain elevated permissions and modify system settings or access restricted functionality. No patch is currently available for this vulnerability.

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directories that exploit an untrusted search path vulnerability. Local attackers can leverage this to execute arbitrary code with the privileges of the current user without requiring special permissions or interaction beyond opening a file. No patch is currently available for this high-severity vulnerability affecting 3ds Max users.

F5 BIG-IP Container Ingress Services contains an improper privilege management flaw that allows high-privileged users to read sensitive cluster secrets beyond their intended authorization scope. An authenticated attacker with elevated permissions could exploit this vulnerability to gain unauthorized access to confidential Kubernetes cluster data. No patch is currently available for this medium-severity issue.

Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code execution in SSR applications.

An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code.

Local code injection in NVIDIA Megatron-LM allows authenticated users to achieve arbitrary code execution and privilege escalation through malicious input to vulnerable scripts. An attacker with local access can craft specially designed data to trigger unsafe code evaluation, enabling complete system compromise including data theft and modification. No patch is currently available for this vulnerability affecting all supported platforms.

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. [CVSS 6.5 MEDIUM]

A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. [CVSS 7.8 HIGH]

Endpoint Privilege Manager versions up to 25.10.0 is affected by improper privilege management (CVSS 7.8).

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. [CVSS 5.4 MEDIUM]

Arbitrary code execution in Roland Cloud Manager installer versions 3.1.19 and earlier results from insecure DLL loading, enabling local attackers to execute malicious code with application-level privileges. An attacker with local access and user interaction can exploit this vulnerability to compromise systems running the affected installer. No patch is currently available to remediate this vulnerability.

Fabric Operating System versions up to 9.2.1 is affected by execution with unnecessary privileges (CVSS 5.5).

Native Access on macOS allows local authenticated attackers to inject malicious libraries into the privileged XPC helper process due to overly permissive code signing entitlements, enabling arbitrary code execution with system-level privileges. The vulnerability stems from the application being signed with dyld environment variable and library validation bypass entitlements while communicating with a trusted helper that validates only the signing certificate. Public exploit code exists, and no patch is currently available.

Remote privilege escalation in Android Thread networking protocol implementation via out-of-bounds write. No additional execution privileges needed.

Local privilege escalation in Android's PCIe driver stems from an out-of-bounds write vulnerability caused by insufficient bounds validation, allowing attackers with system-level privileges to escalate their access without user interaction. This medium-severity vulnerability (CVSS 5.3) affects Android devices and currently has no available patch. The CWE-787 vulnerability requires an attacker to already possess system privileges, limiting the immediate exploitation scope.

Android's imgsys component contains a use-after-free vulnerability that allows privilege escalation when exploited by an attacker who already has system-level access. The flaw requires no user interaction and could enable a malicious actor to escalate their privileges further within the device. Currently, no patch is available to address this vulnerability.

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).

The Android cameraisp component contains an out-of-bounds write vulnerability due to insufficient bounds validation, enabling privilege escalation for attackers who have already gained system-level access. No user interaction is required for exploitation, and the vulnerability affects confidentiality, integrity, and availability of the device. No patch is currently available.

A use-after-free vulnerability in Android's cameraisp component allows privilege escalation to local denial of service for attackers with system-level access, requiring no user interaction. The flaw enables malicious actors to manipulate memory safety boundaries and execute arbitrary actions within the camera service context. No patch is currently available for this vulnerability.

Local privilege escalation in Android's imgsys component allows system-level processes to achieve full system compromise through an out-of-bounds write caused by insufficient bounds validation. An attacker with existing system privileges can exploit this flaw without user interaction to gain complete control over the affected device. No patch is currently available for this vulnerability.

An out-of-bounds write vulnerability in Android's imgsys component allows a local attacker with system-level privileges to escalate permissions and gain complete control over the device due to insufficient bounds checking. The vulnerability requires no user interaction and cannot be patched in current versions. This affects Android devices where an attacker has already obtained elevated system access.

OpenWRT and related SDKs are vulnerable to a heap buffer overflow in the WLAN component that allows adjacent network attackers to execute privilege escalation without user interaction or special permissions. The out-of-bounds write condition enables attackers on the same network segment to gain elevated system privileges. No patch is currently available for this vulnerability.

Out-of-bounds write in Android WLAN STA driver due to missing bounds check allows local privilege escalation to System with user interaction.

Remote code execution in MagicInfo 9 Server (versions prior to 21.1090.1) allows unauthenticated attackers to upload arbitrary files without authentication, resulting in complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability enables privilege escalation and requires only user interaction to trigger. No patch is currently available for this critical flaw affecting all vulnerable MagicInfo 9 Server installations.

PsySH versions prior to 0.11.23 and 0.12.19 automatically execute a `.psysh.php` file from the current working directory during startup, allowing local attackers with write access to a directory to achieve arbitrary code execution when a user launches PsySH from that location. When a privileged user such as root or a CI runner executes PsySH in an attacker-controlled directory, this results in local privilege escalation. Public exploit code exists for this vulnerability and no patch is currently available.

its service configuration contains a vulnerability that allows attackers to execute arbitrary code with SYSTEM privileges (CVSS 7.8).

Planting a custom configuration file in ESET Inspect Connector allow load a malicious DLL.

Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]

Client-side password hashing in N3uron Web UI v1.21.7 allows privilege escalation. Weak hashing enables attackers to forge authentication credentials. PoC available.

Immich versions prior to 2.5.0 contain an improper access control flaw that allows any authenticated API key to escalate its privileges to full administrator level by manipulating the update endpoint. Public exploit code exists for this vulnerability, enabling attackers with basic API access to completely compromise the system. The flaw affects all unpatched Immich installations and requires upgrading to version 2.5.0 or later to remediate.

CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart.

10-Strike Bandwidth Monitor 3.9 contains an unquoted service path vulnerability in multiple services that allows local attackers to escalate privileges. Attackers can place a malicious executable in specific file path locations to achieve privilege escalation to SYSTEM during service startup. [CVSS 7.8 HIGH]

NocoDB versions prior to 0.301.0 contain an open redirect vulnerability in the login flow where the `continueAfterSignIn` parameter is not validated, allowing attackers to redirect authenticated users to arbitrary external websites. Public exploit code exists for this vulnerability, which enables phishing attacks by abusing user trust in the legitimate login process to facilitate credential theft through social engineering. Authenticated users are at risk of being redirected to attacker-controlled domains immediately after successful login.

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. [CVSS 5.4 MEDIUM]

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. [CVSS 7.8 HIGH]

NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. [CVSS 7.8 HIGH]

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. [CVSS 7.8 HIGH]

NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. [CVSS 7.8 HIGH]

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. [CVSS 8.8 HIGH]

Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. [CVSS 6.7 MEDIUM]

WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. [CVSS 7.0 HIGH]

Simple User Registration (WordPress plugin) versions up to 6.7 is affected by improper access control (CVSS 8.8).

A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.

its Windows service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

ElevationService executable contains a vulnerability that allows attackers to potentially inject malicious code (CVSS 7.8).

NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Acronis Cloud Manager for Windows before build 6.4.25342.354 is vulnerable to local privilege escalation through improperly configured folder permissions, allowing authenticated users with low privileges to escalate to higher privileges. An attacker with local access and user interaction can exploit this vulnerability to gain full system control. No patch is currently available for this vulnerability.

WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory. [CVSS 8.8 HIGH]

Dashboard permission API fails to validate scope boundaries, allowing authenticated users with permission management rights on any single dashboard to read and modify permissions across all organization dashboards. This privilege escalation affects multi-user dashboard environments where permission isolation is expected. No patch is currently available.

Insufficient authorization checks in SAP Fiori App Intercompany Balance Reconciliation allow authenticated users to access data beyond their intended permissions, resulting in privilege escalation with limited confidentiality impact. An attacker with valid credentials can exploit this flaw to view sensitive financial reconciliation information they should not have access to. No patch is currently available.

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. [CVSS 4.0 MEDIUM]

Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user data and escalate privileges. PoC available.

A local privilege escalation vulnerability has been identified in the Kaba exos 9300 System management application (d9sysdef.exe).

SpringBlade v4.5.0 has an access control flaw in authRoutes allowing low-privileged users to escalate to admin through the authentication routing mechanism.

Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. [CVSS 7.1 HIGH]

Melapress Role Editor (WordPress plugin) versions up to 1.1.1. is affected by incorrect authorization (CVSS 8.8).

Discord Client's discord_rpc module improperly loads files from an unsecured search path, enabling local attackers with low-privilege code execution to escalate privileges and run arbitrary code with elevated user context. This vulnerability requires prior local code execution capability and affects systems running vulnerable Discord Client installations. No patch is currently available.

npm cli contains an insecure module loading mechanism that enables local privilege escalation on Node.js installations. An attacker with low-privileged code execution can exploit this flaw to gain elevated privileges and execute arbitrary code with target user permissions. No patch is currently available for this vulnerability.

mcp-server-siri-shortcuts fails to validate the shortcutName parameter before using it in system calls, enabling local attackers with low-privileged code execution to inject arbitrary commands and escalate to service account privileges. This command injection vulnerability (CVE-2026-0758, CVSS 7.8) affects the AI/ML tool and currently lacks a patch. An attacker exploiting this flaw can execute arbitrary code with elevated privileges on the affected system.

A WebSocket endpoint lacks proper authentication, allowing unauthenticated users to connect and interact with real-time data streams and server-side functionality.

A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation.

An issue with WordPress directory names in WebPros WordPress Toolkit versions up to 6.9.1 is affected by path traversal (CVSS 8.8).

VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys).

Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation.This issue affects Final User: from n/a through <= 1.2.5. [CVSS 8.8 HIGH]

Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 8.8 HIGH]

e-plugins Hospital Doctor Directory hospital-doctor-directory contains a security vulnerability (CVSS 8.8).

e-plugins Institutions Directory institutions-directory contains a security vulnerability (CVSS 8.8).

LazyTasks project management WordPress plugin has an incorrect privilege assignment vulnerability allowing low-privileged users to escalate to administrator, gaining full site control.

Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation.This issue affects Hydra Booking: from n/a through <= 1.1.32. [CVSS 7.3 HIGH]

Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation.This issue affects Lawyer Directory: from n/a through <= 1.3.3. [CVSS 8.8 HIGH]

Booking Activities Team Booking Activities booking-activities contains a security vulnerability (CVSS 8.1).

Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through <= 1.2.9.4. [CVSS 8.8 HIGH]

Malicious wheel files can modify file permissions on critical system files during extraction in Python wheel versions 0.40.0-0.46.1, enabling attackers to alter SSH keys, configuration files, or executable scripts. This path traversal and permission manipulation flaw affects systems unpacking untrusted wheels and can lead to privilege escalation or arbitrary code execution. Public exploit code exists for this vulnerability, though a patch is available in version 0.46.2.

Privilege escalation in openCryptoki 2.3.2+ allows token-group members to exploit insecure symlink handling in group-writable token directories, enabling file operations on arbitrary filesystem targets when the library runs with elevated privileges. An attacker with token-group membership can plant symlinks to redirect administrative operations, potentially leading to privilege escalation or unauthorized data access. A patch is available.

Flux Operator versions 0.36.0 through 0.39.x contain an authentication bypass in the Web UI that allows authenticated users to escalate privileges and execute API requests with the operator's service account permissions. The vulnerability affects deployments where OIDC providers issue incomplete token claims or custom CEL expressions evaluate to empty values, bypassing Kubernetes RBAC impersonation controls. Cluster administrators running affected Flux Operator versions should upgrade to 0.40.0 or later.

Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. [CVSS 8.8 HIGH]

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. [CVSS 2.7 LOW]

Academy LMS WordPress plugin has a privilege escalation vulnerability allowing unauthenticated users to bypass access controls and gain elevated privileges on WordPress sites.

Node.js has a CVSS 10.0 permission model bypass that allows Unix Domain Socket connections to completely bypass network restrictions when --allow-net is configured.

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

NVIDIA Nsight Systems for Windows contains a vulnerability in the application’s DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. [CVSS 6.7 MEDIUM]

NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. [CVSS 7.3 HIGH]

NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. [CVSS 7.3 HIGH]