Skip to main content

Privilege Escalation

13293 CVEs technique

Monthly

CVE-2026-8547 HIGH PATCH This Week

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Privilege Escalation Microsoft Google Red Hat +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8629 HIGH PATCH This Week

Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.

Authentication Bypass Privilege Escalation Crabbox
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-27680 LOW Monitor

CSS injection in SAP NetWeaver Application Server ABAP allows unauthenticated remote attackers to inject malicious Cascading Style Sheets into web pages served by the application, with exploitation requiring user interaction (clicking or accessing the affected page). The injected CSS executes in the victim's browser context, resulting in low-impact confidentiality loss; integrity and availability are not affected. CVSS 3.1 reflects the limited impact and high attack complexity required.

Privilege Escalation SAP
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-43978 PyPI HIGH GHSA This Week

Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42853 npm MEDIUM GHSA This Month

Command injection in @apostrophecms/cli apos create command allows arbitrary command execution when a user supplies specially crafted input during the interactive password prompt. The vulnerability exists in lib/commands/create.js line 186, where user-supplied password input is passed directly into a shell exec() call without sanitization or escaping, enabling attackers to inject shell metacharacters (;, &&, $()) to execute arbitrary commands with the privileges of the user running the CLI. Exploitation requires user interaction (UI:R) and high privilege context (PR:H), but publicly available proof-of-concept demonstrates successful arbitrary code execution on Ubuntu systems with Node.js.

Command Injection Ubuntu Privilege Escalation Docker Node.js
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62625 MEDIUM This Month

Improper privilege management in AMD's KVM key download component allows authenticated local attackers to swap tokens and exfiltrate sensitive cryptographic keys due to insufficient access controls, potentially enabling unauthorized access to privileged resources and compromising system confidentiality. The vulnerability requires authenticated access (PR:L) but carries high confidentiality impact (VC:H), making it a significant risk in multi-tenant or shared-access environments.

Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-26062 Go HIGH PATCH GHSA This Week

Fleet server crashes from a single malformed gRPC request to the PublishLogs endpoint, allowing complete denial of service. An attacker with any enrolled Launcher node key can terminate the Fleet server process instantly via a crafted gRPC call. CVSS 8.7 (High) reflects the ease and impact, though exploitation requires prior enrollment of a Launcher host. Vendor-released patch version 4.81.0 available. No public exploit identified at time of analysis, but attack requires minimal sophistication given authenticated access.

Authentication Bypass Privilege Escalation Denial Of Service Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-24000 Go MEDIUM PATCH GHSA This Month

Fleet trusts untrusted client-supplied IP address headers (X-Forwarded-For, X-Real-IP, True-Client-IP) when determining source IP for incoming requests, allowing both authenticated and unauthenticated attackers to spoof their apparent IP address and bypass per-IP rate limiting controls. This enables brute-force and password-spraying attacks against authentication endpoints to scale without triggering rate-limit protections, though the vulnerability does not itself enable authentication bypass, privilege escalation, data exposure, or remote code execution.

Authentication Bypass Privilege Escalation Information Disclosure RCE
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-6506 HIGH This Week

Privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) allows authenticated subscriber-level users to elevate themselves to Administrator by abusing the unprotected infusedwoo_gdpr_upddata() function to overwrite their wp_capabilities user meta. No public exploit identified at time of analysis, EPSS is very low (0.04%), and the issue is not listed in CISA KEV, but the technical impact is total once the simple authentication prerequisite is met.

Authentication Bypass Privilege Escalation WordPress Infusedwoo Pro
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5193 MEDIUM This Month

Privilege escalation in Essential Addons for Elementor (all versions ≤ 6.5.13) allows authenticated WordPress users with Author-level access or above to create new accounts with elevated roles such as Editor by exploiting the plugin's `register_user` function, which applies an incomplete role denylist that blocks only 'administrator' while leaving other privileged roles unguarded. The network-accessible, low-complexity attack vector (AV:N/AC:L/PR:L) makes this realistic for any site with the plugin's registration widget exposed and populated with low-trust authors. No public exploit has been identified at time of analysis and CISA KEV status is absent, but the plugin's broad WordPress deployment increases aggregate exposure.

Privilege Escalation WordPress Essential Addons For Elementor Popular Elementor Templates Widgets Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6510 CRITICAL Act Now

Authentication bypass and privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) lets unauthenticated remote attackers seize administrator accounts by abusing the iwar_save_recipe() AJAX handler. Because the endpoint lacks nonce verification and capability checks, attackers can plant a malicious automation recipe that chains an HTTP post trigger with an auto-login action, so visiting a crafted URL returns valid authentication cookies for any chosen user. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis, and EPSS sits at 0.19% (40th percentile) despite the SSVC assessment of total technical impact and automatable exploitation.

Authentication Bypass Privilege Escalation WordPress Infusedwoo Pro
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-8181 CRITICAL POC Act Now

Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing.

Authentication Bypass Google Privilege Escalation WordPress
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-29205 HIGH PATCH This Week

Arbitrary file read in cPanel & WHM's cpdavd service allows remote unauthenticated attackers to retrieve sensitive files from the server through attachment download endpoints that fail to properly filter paths and enforce privilege boundaries. The flaw affects multiple supported cPanel release tiers (11.120 through 11.136) and WP Squared 11.120.1.0-11.136.1.12, scoring CVSS 8.6 due to network reach without authentication, though EPSS exploitation probability is only 0.04% and no public exploit identified at time of analysis.

Privilege Escalation
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-0251 MEDIUM PATCH This Month

Local privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect App on Windows, macOS, and Linux allow a low-privileged local user to elevate to NT AUTHORITY\SYSTEM (Windows) or root (macOS/Linux), enabling full OS-level command execution. The root cause is CWE-426 (Untrusted Search Path), where the application resolves executables or libraries from attacker-controllable locations. No public exploit has been identified and CISA SSVC confirms exploitation status as none; however, SSVC rates technical impact as total, reflecting the complete privilege gain achievable upon successful exploitation.

Privilege Escalation Google Apple Microsoft Paloalto +2
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-30906 HIGH PATCH This Week

Local privilege escalation in Zoom Rooms for Windows versions prior to 7.0.0 allows an authenticated user to gain elevated privileges through an untrusted search path weakness in the installer. The flaw (CWE-426) carries a CVSS 7.8 (High) rating with complete confidentiality, integrity, and availability impact, though EPSS exploitation probability is very low (0.01%) and there is no public exploit identified at time of analysis. CISA SSVC indicates no observed exploitation but total technical impact, making this a credible insider-threat or post-compromise escalation vector rather than an internet-facing risk.

Microsoft Privilege Escalation Zoom Rooms
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30905 HIGH PATCH This Week

Local privilege escalation in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 allows an authenticated low-privileged user to elevate to higher privileges through external control of a file name or path during installation routines. The flaw was reported by Zoom and carries CVSS 7.8 with total technical impact, though no public exploit identified at time of analysis and EPSS sits at 0.01%. SSVC indicates exploitation status 'none' and the attack is not automatable, marking this as a patch-on-schedule rather than emergency item.

Microsoft Privilege Escalation Zoom Workplace Vdi Plugin
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44470 HIGH PATCH This Week

Local privilege escalation in Claude Desktop for Windows prior to 1.3834.0 allows a low-privileged user to gain SYSTEM-level file write primitives by abusing the CoworkVMService component. The service fails to validate whether the user-writable VM bundle directory is a real directory or an NTFS directory junction, enabling a classic link-following attack. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but SSVC rates technical impact as total.

Microsoft Privilege Escalation Claude Desktop
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-36742 MEDIUM This Month

Hiseeu C90 v5.7.15 exposes a UART bootloader in debug mode when the device battery is disconnected, allowing unauthenticated physical attackers with direct hardware access to achieve privilege escalation and potentially execute arbitrary code with full device control. This vulnerability requires physical tampering to trigger but bypasses all software-based security controls once activated.

Privilege Escalation
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2020-37223 HIGH POC This Week

IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Iobit Uninstaller
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32643 HIGH PATCH This Week

Configuration manipulation in F5 BIG-IP and BIG-IQ Certificate Manager allows authenticated attackers with high privileges to execute arbitrary commands with scope change. Attackers holding Certificate Manager role credentials can modify configuration objects to run system commands, escalating from administrative interface access to underlying system control. CVSS 8.7 reflects the scope change (S:C) enabling broader impact than typical privileged command injection. No public exploit identified at time of analysis. F5 has released vendor patches per K000160972.

Privilege Escalation Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32673 HIGH PATCH This Week

Authenticated administrators with Resource Administrator or Administrator role can execute arbitrary system commands with elevated privileges in F5 BIG-IP scripted monitors, potentially crossing security boundaries in appliance mode deployments. The vulnerability requires high privilege level and network access but allows complete command execution with no user interaction, affecting confidentiality and integrity.

Privilege Escalation Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-41953 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrator users to elevate privileges through configuration object manipulation. The command injection flaw (CWE-77) enables attackers with existing high-privilege access to gain administrative control over the BIG-IP system. CVSS score of 8.7 reflects high impact due to scope change (compromising beyond the vulnerable component), though exploitation requires existing Resource Administrator credentials (PR:H). EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation.

Privilege Escalation Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-40631 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators to gain full Administrator privileges by exploiting insecure iControl SOAP API configuration handling. Attackers with high-privilege Resource Administrator access can modify configuration objects to escalate to Administrator level, achieving cross-scope access to confidential data and integrity compromise. EPSS risk assessment unavailable, but exploitation requires legitimate Resource Administrator credentials and network access to management interface, limiting attack surface to insider threats or compromised administrative accounts.

Privilege Escalation Information Disclosure Path Traversal Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-40698 HIGH PATCH This Week

Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.

Privilege Escalation Command Injection Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-42924 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators or Administrators to execute arbitrary OS commands by creating malicious SNMP configuration objects via the legacy iControl SOAP API. Attackers with high-level administrative credentials can break out of their role constraints to gain full system control. F5 has released patches addressing this command injection flaw (CWE-78). No active exploitation confirmed at time of analysis, but the CVSS:3.1 Changed Scope indicator and attack complexity of Low make this exploitable by any administrator with SOAP API access.

Privilege Escalation Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-46300 HIGH POC PATCH CISA NEWS Act Now

Local privilege escalation in Linux kernel XFRM ESP-in-TCP subsystem (Fragnesia vulnerability) allows authenticated local attackers to overwrite kernel memory structures by exploiting arbitrary byte writes into the kernel page cache of read-only files. CVSS score of 7.8 reflects high impact across confidentiality, integrity, and availability. Low attack complexity (AC:L) and no user interaction requirement (UI:N) make this exploitable by any local user with basic privileges. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, but the specific vulnerability name 'Fragnesia' suggests coordinated disclosure with security research community.

Privilege Escalation Linux
NVD VulDB GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
Threat
5.1
CVE-2024-47091 MEDIUM PATCH This Month

Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity.

Microsoft RCE Privilege Escalation
NVD VulDB
CVSS 4.0
5.2
EPSS
0.0%
CVE-2026-21015 MEDIUM This Month

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.

Privilege Escalation Samsung Mobile Devices
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2025-62624 HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Heap Overflow Privilege Escalation RCE Buffer Overflow
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-62623 HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Privilege Escalation RCE Buffer Overflow
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-42289 HIGH This Week

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.

Privilege Escalation PHP CSRF
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44593 Go HIGH PATCH GHSA This Week

### Impact - Arbitrary File Write - An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE - By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. ### Exploit The legacy router first retrieves a response from `legacyServer`, parses the incoming request path, and ultimately writes the data to storage via `buildStorage.Put` (see <https://github.com/esm-dev/esm.sh/blob/4312ae93e518121e764a18bb521af12e490ef137/server/legacy_router.go#L291>). For a URL such as: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` the router concatenates the path components without sanitizing them, producing a storage key like: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` When this key is used, the underlying file system resolves the relative segments and writes the file to `/tmp/pwned`. Thus an attacker can craft a request that writes data to arbitrary locations on the server. ### Details 1. **URL Construction** A crafted request is sent to the server: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` 2. **Proxy to Legacy Server** The request is forwarded to: ``` http://legacy.esm.sh/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../tmp/pwned ``` which resolves to: ``` http://legacy.esm.sh/gh/<attacker>/exp@1171e85d5d/foo.md ``` 3. **File Retrieval** The server fetches `foo.md` from the GitHub repository `https://github.com/<attacker>/exp`. 4. **Path Normalisation & Storage** The storage path derived from the request is: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` Normalising this path yields `/tmp/pwned`. The retrieved file content is then written to that location. 5. **Result** By repeating this pattern, an attacker can overwrite arbitrary binaries or scripts on the server, paving the way for remote code execution. ### Credit Discovery To splitline (@\_splitline\_) from DEVCORE Research Team

Privilege Escalation RCE Path Traversal
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-8449 HIGH PATCH This Week

Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID containing an inflated num_subauth field. Attackers can exploit this vulnerability by creating a directory, setting the malicious DACL via SMB2_SET_INFO, and creating child entries to cause kernel instability, denial of service, or potentially achieve privilege escalation to kernel code execution.

Denial Of Service Buffer Overflow RCE Linux Privilege Escalation +3
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-44224 HIGH PATCH This Week

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users - a permission typically delegated to wiki moderators for account management - can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.

Privilege Escalation Node.js
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-20767 HIGH This Week

Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Microsoft Intel
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-20714 HIGH This Week

Out-of-bounds write for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Microsoft Buffer Overflow Memory Corruption Privilege Escalation Intel
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-33821 HIGH PATCH NEWS This Week

Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-42833 CRITICAL PATCH Exploit Unlikely Act Now

Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-36515 MEDIUM This Month

Uncontrolled search path for some AI Playground software before version 3.0.0 alpha within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Ai Playground Software
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2025-35990 HIGH This Week

Improper input validation for some Intel Endpoint Management Assistant (EMA) software before version 1.14.5 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-35969 MEDIUM This Month

Uncontrolled search path for some Intel(R) Server Firmware Update Utility Software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-20794 CRITICAL Act Now

Buffer overflow for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts.

Buffer Overflow VMware RCE Privilege Escalation Intel
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-20772 MEDIUM This Month

Uncontrolled search path for some Intel(R) Connectivity Performance Suite software installers before version 50.25.1121.193 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-20753 HIGH This Week

Integer overflow in the UEFI firmware for the Slim Bootloader may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts.

Integer Overflow Privilege Escalation RCE Slim Bootloader May Allow An Escalation Of Privilege System Software Adversary With A Privileged User Combined With A Low Complexity Attack May Enable Local Code Execution This Result May Potentially Occur Via Local Access When Attack Requirements Are Present Without Special Internal Knowledge And Requires No User Interaction The Potential Vulnerability May Impact The Confidentiality High Integrity High And Availability High Of The Vulnerable System Resulting In Subsequent System Confidentiality High Integrity High And Availability High Impacts
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-20738 HIGH This Week

Untrusted pointer dereference for some Intel(R) QuickAssist Adapter 8960 software before version 1.13 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-20718 MEDIUM This Month

Incorrect default permissions for some Intel(R) NPU Driver software installers before version 32.0.100.4511 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-30810 HIGH This Week

Server-Side Request Forgery (SSRF) in Pandora FMS versions 777-800 enables authenticated attackers to escalate privileges through the API Checker extension. Attackers with low-privilege network access can force the server to make arbitrary requests, potentially accessing internal resources and escalating to higher confidentiality impact (CVSS VC:H). EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor has acknowledged the issue per PandoraFMS security advisory, indicating patch development is likely underway.

Privilege Escalation SSRF Pandora Fms
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-45088 Go HIGH PATCH GHSA This Week

Unauthenticated arbitrary file read in dalfox REST API server mode allows remote attackers to exfiltrate sensitive files from the host filesystem. The vulnerability chains two flaws: missing authentication middleware when no API key is set (default configuration), and unsanitized deserialization of the `custom-payload-file` JSON parameter directly into the scan engine. Remote attackers can supply any file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, cloud credential files) and the engine reads each line, embeds it as an XSS payload, and transmits it to an attacker-controlled HTTP endpoint via dalfox's own scan traffic. No exploit code is publicly identified at time of analysis; vendor-released patch available in version 2.13.0.

Authentication Bypass XSS Privilege Escalation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8110 HIGH This Week

Local privilege escalation in Ivanti Endpoint Manager agent allows authenticated users to gain SYSTEM-level privileges via incorrect file or registry permissions. Affects all versions prior to 2024 SU6. Vendor has released a patch (version 2024 SU6). No evidence of active exploitation or public POC identified at time of analysis, though EPSS data not available. Organizations running EPM agents on managed endpoints should prioritize patching given the high CVSS score (7.8) and potential for lateral movement across enterprise environments.

Privilege Escalation Ivanti
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7432 HIGH This Week

Race condition in Ivanti Secure Access Client enables local privilege escalation to SYSTEM from low-privileged accounts. Affects versions before 22.8R6. An authenticated local user can exploit timing vulnerabilities in the client software to gain complete system control. While limited to local attack vector (requires existing access to the target system), the low attack complexity (AC:L) and lack of user interaction requirement (UI:N) make this exploitable once local access is achieved. No public exploit code identified at time of analysis, and EPSS risk scoring not yet available for this 2026 CVE.

Privilege Escalation Race Condition Ivanti
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40638 MEDIUM PATCH This Month

Local privilege escalation in Dell PowerScale InsightIQ versions 5.0.0 through 6.2.0 allows high-privileged attackers to execute code with unnecessary elevated privileges, potentially escalating to full system compromise. The vulnerability requires existing local access and high privilege level on the affected system; no public exploit has been identified at time of analysis.

Dell Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-2465 HIGH PATCH This Week

Privilege escalation in Turboard FOR-S allows remote unauthenticated attackers to gain elevated access by exploiting incorrect authorization checks, requiring only user interaction. The vulnerability affects versions 7.01.2026 through 17.02.2026, with fix available in version 18.02.2026. Turkish national CERT (TR-CERT) reported this authorization bypass vulnerability (CWE-863), which enables attackers to compromise confidentiality, integrity, and availability of the affected business intelligence platform.

Authentication Bypass Privilege Escalation Turboard For S
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41712 Maven HIGH PATCH GHSA This Week

Remote unauthenticated attackers can access confidential data from other users' chat sessions in Spring AI applications due to insecure default configuration in the chat memory component. The vulnerability allows network-based exploitation with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N) and impacts confidentiality only (C:H/I:N/A:N), enabling cross-user data leakage in multi-tenant AI chat implementations. Reported by VMware, affecting Java-based Spring AI deployments where developers have not explicitly configured chat memory isolation.

Information Disclosure Java Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8072 CRITICAL PATCH Act Now

Weak credential generation in Ingeteam's Ingecon Sun EMS Board Technical Support access mechanism allows remote privilege escalation via cryptographic weakness. The SAT (Technical Support) access feature generates credentials using a weak hashing algorithm instead of cryptographically secure methods, enabling attackers to predict or derive privileged access credentials. CVSS 9.2 reflects network-accessible attack with high complexity but no authentication required. INCIBE coordinated disclosure confirms vendor patch availability, and a practical analysis of the vulnerability has been published by ReverseMode, indicating detailed technical understanding exists in the research community.

Privilege Escalation Ingecon Sun Ems Board
NVD
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-1185 MEDIUM PATCH This Month

Improper input validation in an Axis OS configuration file allows authenticated SSH users to execute code and potentially escalate privileges. The vulnerability requires valid SSH credentials but affects all Axis OS versions, making it a significant risk for organizations running Axis network devices with SSH access exposed or shared credentials.

Privilege Escalation RCE Axis Os
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-0804 MEDIUM PATCH This Month

Privilege escalation in Axis OS via path traversal in ACAP configuration files allows high-privileged local attackers to achieve code execution with elevated permissions. The vulnerability requires the device to be configured for unsigned ACAP application installation and the attacker to socially engineer a user into installing a malicious ACAP application. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but exploitation is constrained by high-privilege requirement and user interaction. No public exploit code or active exploitation has been identified at time of analysis.

Privilege Escalation Path Traversal Axis Os
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-0802 MEDIUM PATCH This Month

Command injection in Axis OS ACAP configuration file processing allows privilege escalation when unsigned ACAP applications are enabled and a user installs a malicious application. The vulnerability requires high-privileged user interaction and local access but bypasses normal code signing protections to achieve code execution with elevated privileges.

Privilege Escalation Command Injection Axis Os
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-0541 MEDIUM PATCH This Month

Axis OS allows privilege escalation via improper input validation during ACAP application installation when unsigned applications are permitted, enabling authenticated attackers with high privileges to gain elevated system access. The vulnerability requires explicit administrative configuration allowing unsigned ACAP installations and victim interaction to install a malicious application. No public exploit code or active exploitation has been confirmed at time of analysis.

Privilege Escalation Axis Os
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-43886 HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.

Privilege Escalation Outline
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-41489 HIGH PATCH This Week

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

Privilege Escalation Pi Hole
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28995 HIGH PATCH This Week

Sandbox escape vulnerability in Apple operating systems allows malicious apps with low privileges to break out of application sandbox and execute code with elevated privileges on the host system. Affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms. EPSS score of 0.02% (7th percentile) indicates low probability of mass exploitation in the wild, though the CVSS 8.8 score reflects significant potential impact if successfully weaponized. No active exploitation confirmed at time of analysis.

Privilege Escalation Apple
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28840 HIGH PATCH This Week

Local privilege escalation in macOS allows authenticated users with low-level access to gain root privileges through a permissions enforcement flaw. Affects macOS Tahoe (pre-26.4), Sequoia (pre-15.7.7), and Sonoma (pre-14.8.7). Apple has released patches for all affected versions. Despite CVSS 7.8, EPSS score of 0.01% indicates minimal observed exploitation activity. No public exploit code identified at time of analysis, though the local attack vector and low complexity suggest post-compromise utility rather than initial access vector.

Privilege Escalation Apple
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-28919 HIGH PATCH This Week

Local privilege escalation in macOS Sequoia, Sonoma, and Tahoe allows applications to gain root privileges through a state handling flaw in the operating system. Apple patched this consistency issue in macOS Sequoia 15.7.7, Sonoma 14.8.7, and Tahoe 26.5. Despite the high CVSS score (7.8), EPSS indicates only 0.02% exploitation probability (4th percentile), no public exploit code identified at time of analysis, and no CISA KEV listing, suggesting this is not yet widely exploited but represents a significant risk in multi-user or untrusted application environments.

Privilege Escalation Apple
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34390 PHP MEDIUM PATCH GHSA This Month

Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla

Authentication Bypass Privilege Escalation PHP
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-3609 HIGH This Week

Local privilege escalation in Wellbia XIGNCODE3 anti-cheat driver (xhunter1.sys) allows any low-privileged user process to obtain a PROCESS_ALL_ACCESS handle to arbitrary processes by sending the IRP_MJ_REITS command to the kernel driver. Because XIGNCODE3 is bundled with many online games and runs with kernel privileges, a local attacker on an affected gaming system can hijack high-integrity processes including LSASS. Publicly available exploit code exists in the form of a detailed write-up, though EPSS exploitation probability remains very low at 0.02%.

Privilege Escalation Xigncode3 Anti Cheat
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44477 Go CRITICAL PATCH GHSA Act Now

Privilege escalation and OS command execution in CloudNativePG (CNPG) versions prior to 1.28.3 and 1.29.1 allow low-privileged PostgreSQL roles to gain superuser access and execute arbitrary commands inside the primary database pod. The metrics exporter connects as the postgres superuser and only demotes via SET ROLE, leaving session_user as superuser; an attacker who owns a database (including the default `app` role) can shadow unqualified identifiers like `current_database()` referenced in the stock `default-monitoring.yaml`, triggering the chain on the next scrape (≤30s). No public exploit identified at time of analysis, but the vulnerability is highly impactful (CVSS 9.4) and affects default deployments without custom metrics.

Privilege Escalation Command Injection SQLi PostgreSQL
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-7813 PyPI CRITICAL PATCH GHSA Act Now

Authorization bypass and privilege escalation in pgAdmin 4 server mode allows authenticated users to access other users' private database servers, credentials, and background processes by guessing object IDs. Attackers can execute arbitrary shell commands as the server owner by modifying the passexec_cmd field through unprotected API endpoints. The vulnerability combines horizontal privilege escalation (accessing peer users' objects), vertical escalation (executing commands as owner), and credential theft (SSL keys, passfiles). No public exploit code identified at time of analysis, but exploitation requires only low-privilege authentication with no user interaction (CVSS PR:L/UI:N). EPSS data not provided; CISA KEV status not confirmed.

Privilege Escalation Authentication Bypass Pgadmin 4
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-9973 MEDIUM PATCH This Month

WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentication flow execution, allowing privileged users in one organization to trigger authentication logic on other organizations. An attacker with adaptive authentication configuration privileges can exploit this context validation gap to bypass authorization boundaries, escalate privileges, and gain unauthorized access to user accounts and resources across organizational boundaries.

Authentication Bypass Privilege Escalation Wso2 Identity Server Conditional Authentication User And Roles Related Functions
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-26946 MEDIUM PATCH This Month

Improper privilege management in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.3.0.0 allows high-privileged local attackers to escalate privileges and gain full system access, affecting confidentiality, integrity, and availability. No public exploit code or active exploitation has been identified at the time of analysis.

Dell Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-38568 HIGH This Week

Broken object-level authorization in HireFlow v1.2 exposes all candidate profiles and interview notes to any authenticated user via direct object reference. Attackers with valid low-privilege credentials can enumerate integer IDs in /candidate/<id> and /interview/<id> endpoints to access the entire database, enabling full horizontal privilege escalation and complete data breach. No vendor patch identified at time of analysis. EPSS data not available; no evidence of active exploitation (not in CISA KEV).

Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2021-47945 HIGH POC This Week

Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Argus Surveillance Dvr
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2021-47932 CRITICAL POC Act Now

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Authentication Bypass WordPress
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-42562 HIGH POC PATCH This Week

Privilege escalation in Plainpad versions prior to 1.1.1 allows any authenticated user to immediately grant themselves administrator privileges via a single HTTP PUT request to the user update endpoint. The vulnerability stems from the API directly accepting the admin parameter from user input without verifying the requesting user's existing privilege level. Affected instances enable low-privilege accounts to bypass authorization controls and access admin-only functionality with no special conditions beyond basic authentication. No public exploit code or active exploitation confirmed at time of analysis, though exploitation requires minimal technical skill given the straightforward attack vector (CVSS AV:N/AC:L/PR:L).

Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-44788 NuGet MEDIUM GHSA This Month

Path traversal in SharpCompress `WriteToDirectory()` allows malicious ZIP and TAR archives to create directories outside the intended extraction root via relative (`../../`) and absolute path (`/tmp/`) overrides in the directory-entry fast-path. TAR archives can be further escalated to arbitrary file writes when callers implement `SymbolicLinkHandler` without validating symlink targets, enabling an attacker to write files anywhere on the filesystem subject to process permissions. CVSS 5.9 reflects moderate severity; real-world impact depends on whether the application extracts untrusted archives and implements symlink handling.

Privilege Escalation Path Traversal
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-44832 PHP HIGH PATCH GHSA This Week

### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users. ### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1 ### Workarounds None.

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-44987 LOW Monitor

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-42205 Ruby HIGH PATCH GHSA This Week

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.

Authentication Bypass Privilege Escalation Avo
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42185 MEDIUM PATCH This Month

Privilege escalation in Suite Numérique People prior to version 1.25.0 allows authenticated domain administrators to remotely promote any existing user to Owner role via a crafted invitation request, without requiring acceptance from the target user. The vulnerability requires valid Administrator credentials on a mail domain but grants immediate full domain ownership, creating a severe lateral privilege escalation risk within multi-tenant deployments.

Privilege Escalation People
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-44680 npm HIGH POC PATCH GHSA This Week

SQL injection in MikroORM versions ≤7.0.13 (v7) and ≤6.6.13 (v6) allows authenticated attackers to execute arbitrary SQL queries by injecting malicious characters into schema names, JSON property filters, or query builder keys. The vulnerability stems from improper escaping of dialect-specific quote characters in identifier-quoting and JSON-path functions. Multi-tenant applications are at heightened risk of cross-tenant data leakage. Vendor-released patches are available: upgrade to 7.0.14 (v7) or 6.6.14 (v6). No public exploit identified at time of analysis, though the vulnerability was discovered during internal security review by the project maintainer.

PostgreSQL Privilege Escalation SQLi
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-29203 MEDIUM PATCH This Month

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

Privilege Escalation Cpanel Cpanel Centos 6 Cloudlinux 6 Wp Squared
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-43433 HIGH PATCH This Week

Time-of-check-to-time-of-use (TOCTOU) race condition in Linux kernel's rust_binder implementation allows local authenticated attackers with low privileges to escalate privileges. The flaw exists in transaction offset array handling where values copied to a target process's read-only VMA are read back without protection against concurrent modification. If an attacker can write to their own supposedly read-only VMA through a separate vulnerability, they can modify offsets between write and read operations, causing the kernel to misinterpret transaction data and potentially enabling privilege escalation into the sending process. Patch available in kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% suggests limited real-world exploitation likelihood despite CVSS 7.8 severity.

Privilege Escalation Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23561 CRITICAL Act Now

Local privilege escalation in the Xen hypervisor, disclosed as one of five issues under Xen Security Advisory XSA-489 (alongside CVE-2026-23559/23560/23562/42486), lets a malicious or compromised guest run code with more privilege than intended and cross the guest/host trust boundary. The CVSS 4.0 vector (AV:L, scope-changed with high confidentiality, integrity and availability impact to subsequent systems) indicates a guest can affect the underlying host and other guests, consistent with the CWE-250 'execution with unnecessary privileges' root cause. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-23562 CRITICAL Act Now

Privilege escalation in the Xen hypervisor (addressed in Xen Security Advisory XSA-489) allows an attacker executing within a guest VM to break isolation and compromise the underlying host, per its CVSS 4.0 subsequent-system impact of High across confidentiality, integrity, and availability. The flaw is rooted in execution with unnecessary privileges (CWE-250) and is one of several issues (CVE-2026-23559 through -23562 and CVE-2026-42486) disclosed together in XSA-489 v2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a CVSS 4.0 base score of 9.4 marks it as critical for multi-tenant virtualization environments.

Privilege Escalation
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-23560 CRITICAL Act Now

Local privilege escalation in the Xen hypervisor, disclosed as part of Xen Security Advisory 489 (XSA-489, which bundles CVE-2026-23559 through CVE-2026-23562 and CVE-2026-42486), allows a malicious or compromised guest domain to break guest/host isolation and gain full control over the hypervisor and co-tenant guests. The CWE-250 (Execution with Unnecessary Privileges) root cause combined with the CVSS 4.0 scope-changed, high-impact-across-the-board vector (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates a guest-to-host escalation rather than a mere in-guest issue. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-23559 CRITICAL Act Now

Privilege escalation in the Xen hypervisor (disclosed as XSA-489, CVE-2026-23559, one of a bundle of RB-tree/related flaws alongside CVE-2026-23560/23561/23562/42486) allows a malicious or compromised guest to escape guest confinement and compromise the host, with full confidentiality, integrity and availability impact on both the guest and the surrounding system. The CVSS 4.0 vector (9.4) indicates a local attack surface with scope-changed high subsequent-system impact, consistent with a guest-to-hypervisor escalation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; disclosure is currently pre-NVD via the oss-security mailing list.

Privilege Escalation
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42486 CRITICAL Act Now

Privilege escalation in the Xen hypervisor (tracked in Xen Security Advisory XSA-489, bundled with CVE-2026-23559 through CVE-2026-23562) allows a local attacker operating within a guest context to break isolation and gain control over the underlying host. The CWE-250 root cause (execution with unnecessary privileges) combined with a scope-changing CVSS 4.0 vector (9.4) means a compromised or malicious guest can impact the host and other co-resident guests. This was disclosed pre-NVD via the oss-security mailing list on 2026/04/29; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-8069 HIGH This Week

Local attackers with standard user accounts can escalate to NT AUTHORITY\SYSTEM privileges in Acer PredatorSense V3 versions 3.00.3136 through 3.00.3196. The gaming utility software exposes a misconfigured Windows Named Pipe allowing arbitrary code execution and file deletion with SYSTEM privileges. CVSS 8.5 (High) reflects severe local impact with low complexity exploitation. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the technical details provided enable development of proof-of-concept code.

Privilege Escalation Microsoft RCE Path Traversal
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-8148 HIGH This Week

Local attackers with standard user credentials can escalate privileges to NT AUTHORITY\SYSTEM in NAVER MYBOX Explorer for Windows through registry manipulation. The vulnerability affects versions prior to 3.0.11.160 and stems from improper privilege checks, allowing complete system control on compromised endpoints. EPSS risk is low at 0.02% (4th percentile), indicating minimal observed exploitation probability. No active exploitation has been reported and this vulnerability is not listed in CISA KEV.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34354 HIGH This Week

Local privilege escalation in Akamai Guardicore Platform Agent 7.0-7.3.1 and Zero Trust Client 6.0-6.1.5 on Linux and macOS enables unprivileged users to gain root access through two distinct vectors: a TOCTOU race condition in the HandleSaveLogs() function that creates world-writable root-owned files via symlink manipulation in /tmp, and command injection in the gimmelogs diagnostic tool executing with root privileges. The vulnerability requires local access with high attack complexity (CVSS AC:H) but no authentication (PR:N), affecting endpoint security agents that typically run with elevated privileges. No active exploitation confirmed at time of analysis; EPSS data not available for this 2026 CVE identifier.

Privilege Escalation Microsoft Apple Command Injection Akamai
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-42877 PHP MEDIUM GHSA This Month

Stored XSS in FacturaScripts product search modal allows authenticated warehouse users to inject malicious JavaScript via product reference field, which executes in the browser of any user opening the search modal in sales or purchase documents. An attacker with warehouse write access can escalate privileges by executing arbitrary authenticated requests in an administrator's session, including creation of new admin accounts, without requiring the admin's password. The vulnerability exploits improper output encoding combined with HTML parser re-interpretation during innerHTML assignment.

XSS PHP Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Privilege Escalation Microsoft +4
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.

Authentication Bypass Privilege Escalation Crabbox
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

CSS injection in SAP NetWeaver Application Server ABAP allows unauthenticated remote attackers to inject malicious Cascading Style Sheets into web pages served by the application, with exploitation requiring user interaction (clicking or accessing the affected page). The injected CSS executes in the victim's browser context, resulting in low-impact confidentiality loss; integrity and availability are not affected. CVSS 3.1 reflects the limited impact and high attack complexity required.

Privilege Escalation SAP
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Command injection in @apostrophecms/cli apos create command allows arbitrary command execution when a user supplies specially crafted input during the interactive password prompt. The vulnerability exists in lib/commands/create.js line 186, where user-supplied password input is passed directly into a shell exec() call without sanitization or escaping, enabling attackers to inject shell metacharacters (;, &&, $()) to execute arbitrary commands with the privileges of the user running the CLI. Exploitation requires user interaction (UI:R) and high privilege context (PR:H), but publicly available proof-of-concept demonstrates successful arbitrary code execution on Ubuntu systems with Node.js.

Command Injection Ubuntu Privilege Escalation +2
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Improper privilege management in AMD's KVM key download component allows authenticated local attackers to swap tokens and exfiltrate sensitive cryptographic keys due to insufficient access controls, potentially enabling unauthorized access to privileged resources and compromising system confidentiality. The vulnerability requires authenticated access (PR:L) but carries high confidentiality impact (VC:H), making it a significant risk in multi-tenant or shared-access environments.

Authentication Bypass Privilege Escalation
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Fleet server crashes from a single malformed gRPC request to the PublishLogs endpoint, allowing complete denial of service. An attacker with any enrolled Launcher node key can terminate the Fleet server process instantly via a crafted gRPC call. CVSS 8.7 (High) reflects the ease and impact, though exploitation requires prior enrollment of a Launcher host. Vendor-released patch version 4.81.0 available. No public exploit identified at time of analysis, but attack requires minimal sophistication given authenticated access.

Authentication Bypass Privilege Escalation Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Fleet trusts untrusted client-supplied IP address headers (X-Forwarded-For, X-Real-IP, True-Client-IP) when determining source IP for incoming requests, allowing both authenticated and unauthenticated attackers to spoof their apparent IP address and bypass per-IP rate limiting controls. This enables brute-force and password-spraying attacks against authentication endpoints to scale without triggering rate-limit protections, though the vulnerability does not itself enable authentication bypass, privilege escalation, data exposure, or remote code execution.

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) allows authenticated subscriber-level users to elevate themselves to Administrator by abusing the unprotected infusedwoo_gdpr_upddata() function to overwrite their wp_capabilities user meta. No public exploit identified at time of analysis, EPSS is very low (0.04%), and the issue is not listed in CISA KEV, but the technical impact is total once the simple authentication prerequisite is met.

Authentication Bypass Privilege Escalation WordPress +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Privilege escalation in Essential Addons for Elementor (all versions ≤ 6.5.13) allows authenticated WordPress users with Author-level access or above to create new accounts with elevated roles such as Editor by exploiting the plugin's `register_user` function, which applies an incomplete role denylist that blocks only 'administrator' while leaving other privileged roles unguarded. The network-accessible, low-complexity attack vector (AV:N/AC:L/PR:L) makes this realistic for any site with the plugin's registration widget exposed and populated with low-trust authors. No public exploit has been identified at time of analysis and CISA KEV status is absent, but the plugin's broad WordPress deployment increases aggregate exposure.

Privilege Escalation WordPress Essential Addons For Elementor Popular Elementor Templates Widgets +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass and privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) lets unauthenticated remote attackers seize administrator accounts by abusing the iwar_save_recipe() AJAX handler. Because the endpoint lacks nonce verification and capability checks, attackers can plant a malicious automation recipe that chains an HTTP post trigger with an auto-login action, so visiting a crafted URL returns valid authentication cookies for any chosen user. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis, and EPSS sits at 0.19% (40th percentile) despite the SSVC assessment of total technical impact and automatable exploitation.

Authentication Bypass Privilege Escalation WordPress +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing.

Authentication Bypass Google Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary file read in cPanel & WHM's cpdavd service allows remote unauthenticated attackers to retrieve sensitive files from the server through attachment download endpoints that fail to properly filter paths and enforce privilege boundaries. The flaw affects multiple supported cPanel release tiers (11.120 through 11.136) and WP Squared 11.120.1.0-11.136.1.12, scoring CVSS 8.6 due to network reach without authentication, though EPSS exploitation probability is only 0.04% and no public exploit identified at time of analysis.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Local privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect App on Windows, macOS, and Linux allow a low-privileged local user to elevate to NT AUTHORITY\SYSTEM (Windows) or root (macOS/Linux), enabling full OS-level command execution. The root cause is CWE-426 (Untrusted Search Path), where the application resolves executables or libraries from attacker-controllable locations. No public exploit has been identified and CISA SSVC confirms exploitation status as none; however, SSVC rates technical impact as total, reflecting the complete privilege gain achievable upon successful exploitation.

Privilege Escalation Google Apple +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Zoom Rooms for Windows versions prior to 7.0.0 allows an authenticated user to gain elevated privileges through an untrusted search path weakness in the installer. The flaw (CWE-426) carries a CVSS 7.8 (High) rating with complete confidentiality, integrity, and availability impact, though EPSS exploitation probability is very low (0.01%) and there is no public exploit identified at time of analysis. CISA SSVC indicates no observed exploitation but total technical impact, making this a credible insider-threat or post-compromise escalation vector rather than an internet-facing risk.

Microsoft Privilege Escalation Zoom Rooms
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 allows an authenticated low-privileged user to elevate to higher privileges through external control of a file name or path during installation routines. The flaw was reported by Zoom and carries CVSS 7.8 with total technical impact, though no public exploit identified at time of analysis and EPSS sits at 0.01%. SSVC indicates exploitation status 'none' and the attack is not automatable, marking this as a patch-on-schedule rather than emergency item.

Microsoft Privilege Escalation Zoom Workplace Vdi Plugin
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation in Claude Desktop for Windows prior to 1.3834.0 allows a low-privileged user to gain SYSTEM-level file write primitives by abusing the CoworkVMService component. The service fails to validate whether the user-writable VM bundle directory is a real directory or an NTFS directory junction, enabling a classic link-following attack. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but SSVC rates technical impact as total.

Microsoft Privilege Escalation Claude Desktop
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Hiseeu C90 v5.7.15 exposes a UART bootloader in debug mode when the device battery is disconnected, allowing unauthenticated physical attackers with direct hardware access to achieve privilege escalation and potentially execute arbitrary code with full device control. This vulnerability requires physical tampering to trigger but bypasses all software-based security controls once activated.

Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.5
HIGH POC This Week

IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Iobit Uninstaller
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Configuration manipulation in F5 BIG-IP and BIG-IQ Certificate Manager allows authenticated attackers with high privileges to execute arbitrary commands with scope change. Attackers holding Certificate Manager role credentials can modify configuration objects to run system commands, escalating from administrative interface access to underlying system control. CVSS 8.7 reflects the scope change (S:C) enabling broader impact than typical privileged command injection. No public exploit identified at time of analysis. F5 has released vendor patches per K000160972.

Privilege Escalation Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated administrators with Resource Administrator or Administrator role can execute arbitrary system commands with elevated privileges in F5 BIG-IP scripted monitors, potentially crossing security boundaries in appliance mode deployments. The vulnerability requires high privilege level and network access but allows complete command execution with no user interaction, affecting confidentiality and integrity.

Privilege Escalation Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrator users to elevate privileges through configuration object manipulation. The command injection flaw (CWE-77) enables attackers with existing high-privilege access to gain administrative control over the BIG-IP system. CVSS score of 8.7 reflects high impact due to scope change (compromising beyond the vulnerable component), though exploitation requires existing Resource Administrator credentials (PR:H). EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation.

Privilege Escalation Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators to gain full Administrator privileges by exploiting insecure iControl SOAP API configuration handling. Attackers with high-privilege Resource Administrator access can modify configuration objects to escalate to Administrator level, achieving cross-scope access to confidential data and integrity compromise. EPSS risk assessment unavailable, but exploitation requires legitimate Resource Administrator credentials and network access to management interface, limiting attack surface to insider threats or compromised administrative accounts.

Privilege Escalation Information Disclosure Path Traversal +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.

Privilege Escalation Command Injection Big Ip +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators or Administrators to execute arbitrary OS commands by creating malicious SNMP configuration objects via the legacy iControl SOAP API. Attackers with high-level administrative credentials can break out of their role constraints to gain full system control. F5 has released patches addressing this command injection flaw (CWE-78). No active exploitation confirmed at time of analysis, but the CVSS:3.1 Changed Scope indicator and attack complexity of Low make this exploitable by any administrator with SOAP API access.

Privilege Escalation Command Injection Big Ip
NVD VulDB
EPSS 0% 5.1 CVSS 7.8
HIGH POC PATCH Act Now

Local privilege escalation in Linux kernel XFRM ESP-in-TCP subsystem (Fragnesia vulnerability) allows authenticated local attackers to overwrite kernel memory structures by exploiting arbitrary byte writes into the kernel page cache of read-only files. CVSS score of 7.8 reflects high impact across confidentiality, integrity, and availability. Low attack complexity (AC:L) and no user interaction requirement (UI:N) make this exploitable by any local user with basic privileges. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, but the specific vulnerability name 'Fragnesia' suggests coordinated disclosure with security research community.

Privilege Escalation Linux
NVD VulDB GitHub Exploit-DB
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity.

Microsoft RCE Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.

Privilege Escalation Samsung Mobile Devices
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Heap Overflow Privilege Escalation +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Privilege Escalation RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.

Privilege Escalation PHP CSRF
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

### Impact - Arbitrary File Write - An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE - By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. ### Exploit The legacy router first retrieves a response from `legacyServer`, parses the incoming request path, and ultimately writes the data to storage via `buildStorage.Put` (see <https://github.com/esm-dev/esm.sh/blob/4312ae93e518121e764a18bb521af12e490ef137/server/legacy_router.go#L291>). For a URL such as: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` the router concatenates the path components without sanitizing them, producing a storage key like: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` When this key is used, the underlying file system resolves the relative segments and writes the file to `/tmp/pwned`. Thus an attacker can craft a request that writes data to arbitrary locations on the server. ### Details 1. **URL Construction** A crafted request is sent to the server: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` 2. **Proxy to Legacy Server** The request is forwarded to: ``` http://legacy.esm.sh/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../tmp/pwned ``` which resolves to: ``` http://legacy.esm.sh/gh/<attacker>/exp@1171e85d5d/foo.md ``` 3. **File Retrieval** The server fetches `foo.md` from the GitHub repository `https://github.com/<attacker>/exp`. 4. **Path Normalisation & Storage** The storage path derived from the request is: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` Normalising this path yields `/tmp/pwned`. The retrieved file content is then written to that location. 5. **Result** By repeating this pattern, an attacker can overwrite arbitrary binaries or scripts on the server, paving the way for remote code execution. ### Credit Discovery To splitline (@\_splitline\_) from DEVCORE Research Team

Privilege Escalation RCE Path Traversal
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID containing an inflated num_subauth field. Attackers can exploit this vulnerability by creating a directory, setting the malicious DACL via SMB2_SET_INFO, and creating child entries to cause kernel instability, denial of service, or potentially achieve privilege escalation to kernel code execution.

Denial Of Service Buffer Overflow RCE +5
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users - a permission typically delegated to wiki moderators for account management - can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.

Privilege Escalation Node.js
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Microsoft Intel
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Out-of-bounds write for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Microsoft Buffer Overflow Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Exploit Unlikely Act Now

Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Uncontrolled search path for some AI Playground software before version 3.0.0 alpha within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Ai Playground Software
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Improper input validation for some Intel Endpoint Management Assistant (EMA) software before version 1.14.5 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Uncontrolled search path for some Intel(R) Server Firmware Update Utility Software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Buffer overflow for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts.

Buffer Overflow VMware RCE +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Uncontrolled search path for some Intel(R) Connectivity Performance Suite software installers before version 50.25.1121.193 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Integer overflow in the UEFI firmware for the Slim Bootloader may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts.

Integer Overflow Privilege Escalation RCE +1
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Untrusted pointer dereference for some Intel(R) QuickAssist Adapter 8960 software before version 1.13 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Incorrect default permissions for some Intel(R) NPU Driver software installers before version 32.0.100.4511 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Server-Side Request Forgery (SSRF) in Pandora FMS versions 777-800 enables authenticated attackers to escalate privileges through the API Checker extension. Attackers with low-privilege network access can force the server to make arbitrary requests, potentially accessing internal resources and escalating to higher confidentiality impact (CVSS VC:H). EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor has acknowledged the issue per PandoraFMS security advisory, indicating patch development is likely underway.

Privilege Escalation SSRF Pandora Fms
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated arbitrary file read in dalfox REST API server mode allows remote attackers to exfiltrate sensitive files from the host filesystem. The vulnerability chains two flaws: missing authentication middleware when no API key is set (default configuration), and unsanitized deserialization of the `custom-payload-file` JSON parameter directly into the scan engine. Remote attackers can supply any file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, cloud credential files) and the engine reads each line, embeds it as an XSS payload, and transmits it to an attacker-controlled HTTP endpoint via dalfox's own scan traffic. No exploit code is publicly identified at time of analysis; vendor-released patch available in version 2.13.0.

Authentication Bypass XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Ivanti Endpoint Manager agent allows authenticated users to gain SYSTEM-level privileges via incorrect file or registry permissions. Affects all versions prior to 2024 SU6. Vendor has released a patch (version 2024 SU6). No evidence of active exploitation or public POC identified at time of analysis, though EPSS data not available. Organizations running EPM agents on managed endpoints should prioritize patching given the high CVSS score (7.8) and potential for lateral movement across enterprise environments.

Privilege Escalation Ivanti
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Race condition in Ivanti Secure Access Client enables local privilege escalation to SYSTEM from low-privileged accounts. Affects versions before 22.8R6. An authenticated local user can exploit timing vulnerabilities in the client software to gain complete system control. While limited to local attack vector (requires existing access to the target system), the low attack complexity (AC:L) and lack of user interaction requirement (UI:N) make this exploitable once local access is achieved. No public exploit code identified at time of analysis, and EPSS risk scoring not yet available for this 2026 CVE.

Privilege Escalation Race Condition Ivanti
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Local privilege escalation in Dell PowerScale InsightIQ versions 5.0.0 through 6.2.0 allows high-privileged attackers to execute code with unnecessary elevated privileges, potentially escalating to full system compromise. The vulnerability requires existing local access and high privilege level on the affected system; no public exploit has been identified at time of analysis.

Dell Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Turboard FOR-S allows remote unauthenticated attackers to gain elevated access by exploiting incorrect authorization checks, requiring only user interaction. The vulnerability affects versions 7.01.2026 through 17.02.2026, with fix available in version 18.02.2026. Turkish national CERT (TR-CERT) reported this authorization bypass vulnerability (CWE-863), which enables attackers to compromise confidentiality, integrity, and availability of the affected business intelligence platform.

Authentication Bypass Privilege Escalation Turboard For S
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote unauthenticated attackers can access confidential data from other users' chat sessions in Spring AI applications due to insecure default configuration in the chat memory component. The vulnerability allows network-based exploitation with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N) and impacts confidentiality only (C:H/I:N/A:N), enabling cross-user data leakage in multi-tenant AI chat implementations. Reported by VMware, affecting Java-based Spring AI deployments where developers have not explicitly configured chat memory isolation.

Information Disclosure Java Privilege Escalation
NVD
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Weak credential generation in Ingeteam's Ingecon Sun EMS Board Technical Support access mechanism allows remote privilege escalation via cryptographic weakness. The SAT (Technical Support) access feature generates credentials using a weak hashing algorithm instead of cryptographically secure methods, enabling attackers to predict or derive privileged access credentials. CVSS 9.2 reflects network-accessible attack with high complexity but no authentication required. INCIBE coordinated disclosure confirms vendor patch availability, and a practical analysis of the vulnerability has been published by ReverseMode, indicating detailed technical understanding exists in the research community.

Privilege Escalation Ingecon Sun Ems Board
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Improper input validation in an Axis OS configuration file allows authenticated SSH users to execute code and potentially escalate privileges. The vulnerability requires valid SSH credentials but affects all Axis OS versions, making it a significant risk for organizations running Axis network devices with SSH access exposed or shared credentials.

Privilege Escalation RCE Axis Os
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Privilege escalation in Axis OS via path traversal in ACAP configuration files allows high-privileged local attackers to achieve code execution with elevated permissions. The vulnerability requires the device to be configured for unsigned ACAP application installation and the attacker to socially engineer a user into installing a malicious ACAP application. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but exploitation is constrained by high-privilege requirement and user interaction. No public exploit code or active exploitation has been identified at time of analysis.

Privilege Escalation Path Traversal Axis Os
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Command injection in Axis OS ACAP configuration file processing allows privilege escalation when unsigned ACAP applications are enabled and a user installs a malicious application. The vulnerability requires high-privileged user interaction and local access but bypasses normal code signing protections to achieve code execution with elevated privileges.

Privilege Escalation Command Injection Axis Os
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Axis OS allows privilege escalation via improper input validation during ACAP application installation when unsigned applications are permitted, enabling authenticated attackers with high privileges to gain elevated system access. The vulnerability requires explicit administrative configuration allowing unsigned ACAP installations and victim interaction to install a malicious application. No public exploit code or active exploitation has been confirmed at time of analysis.

Privilege Escalation Axis Os
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.

Privilege Escalation Outline
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

Privilege Escalation Pi Hole
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandbox escape vulnerability in Apple operating systems allows malicious apps with low privileges to break out of application sandbox and execute code with elevated privileges on the host system. Affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms. EPSS score of 0.02% (7th percentile) indicates low probability of mass exploitation in the wild, though the CVSS 8.8 score reflects significant potential impact if successfully weaponized. No active exploitation confirmed at time of analysis.

Privilege Escalation Apple
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in macOS allows authenticated users with low-level access to gain root privileges through a permissions enforcement flaw. Affects macOS Tahoe (pre-26.4), Sequoia (pre-15.7.7), and Sonoma (pre-14.8.7). Apple has released patches for all affected versions. Despite CVSS 7.8, EPSS score of 0.01% indicates minimal observed exploitation activity. No public exploit code identified at time of analysis, though the local attack vector and low complexity suggest post-compromise utility rather than initial access vector.

Privilege Escalation Apple
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in macOS Sequoia, Sonoma, and Tahoe allows applications to gain root privileges through a state handling flaw in the operating system. Apple patched this consistency issue in macOS Sequoia 15.7.7, Sonoma 14.8.7, and Tahoe 26.5. Despite the high CVSS score (7.8), EPSS indicates only 0.02% exploitation probability (4th percentile), no public exploit code identified at time of analysis, and no CISA KEV listing, suggesting this is not yet widely exploited but represents a significant risk in multi-user or untrusted application environments.

Privilege Escalation Apple
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla

Authentication Bypass Privilege Escalation PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Wellbia XIGNCODE3 anti-cheat driver (xhunter1.sys) allows any low-privileged user process to obtain a PROCESS_ALL_ACCESS handle to arbitrary processes by sending the IRP_MJ_REITS command to the kernel driver. Because XIGNCODE3 is bundled with many online games and runs with kernel privileges, a local attacker on an affected gaming system can hijack high-integrity processes including LSASS. Publicly available exploit code exists in the form of a detailed write-up, though EPSS exploitation probability remains very low at 0.02%.

Privilege Escalation Xigncode3 Anti Cheat
NVD
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Privilege escalation and OS command execution in CloudNativePG (CNPG) versions prior to 1.28.3 and 1.29.1 allow low-privileged PostgreSQL roles to gain superuser access and execute arbitrary commands inside the primary database pod. The metrics exporter connects as the postgres superuser and only demotes via SET ROLE, leaving session_user as superuser; an attacker who owns a database (including the default `app` role) can shadow unqualified identifiers like `current_database()` referenced in the stock `default-monitoring.yaml`, triggering the chain on the next scrape (≤30s). No public exploit identified at time of analysis, but the vulnerability is highly impactful (CVSS 9.4) and affects default deployments without custom metrics.

Privilege Escalation Command Injection SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Authorization bypass and privilege escalation in pgAdmin 4 server mode allows authenticated users to access other users' private database servers, credentials, and background processes by guessing object IDs. Attackers can execute arbitrary shell commands as the server owner by modifying the passexec_cmd field through unprotected API endpoints. The vulnerability combines horizontal privilege escalation (accessing peer users' objects), vertical escalation (executing commands as owner), and credential theft (SSL keys, passfiles). No public exploit code identified at time of analysis, but exploitation requires only low-privilege authentication with no user interaction (CVSS PR:L/UI:N). EPSS data not provided; CISA KEV status not confirmed.

Privilege Escalation Authentication Bypass Pgadmin 4
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentication flow execution, allowing privileged users in one organization to trigger authentication logic on other organizations. An attacker with adaptive authentication configuration privileges can exploit this context validation gap to bypass authorization boundaries, escalate privileges, and gain unauthorized access to user accounts and resources across organizational boundaries.

Authentication Bypass Privilege Escalation Wso2 Identity Server +1
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Improper privilege management in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.3.0.0 allows high-privileged local attackers to escalate privileges and gain full system access, affecting confidentiality, integrity, and availability. No public exploit code or active exploitation has been identified at the time of analysis.

Dell Privilege Escalation
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Broken object-level authorization in HireFlow v1.2 exposes all candidate profiles and interview notes to any authenticated user via direct object reference. Attackers with valid low-privilege credentials can enumerate integer IDs in /candidate/<id> and /interview/<id> endpoints to access the entire database, enabling full horizontal privilege escalation and complete data breach. No vendor patch identified at time of analysis. EPSS data not available; no evidence of active exploitation (not in CISA KEV).

Authentication Bypass Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.5
HIGH POC This Week

Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Argus Surveillance Dvr
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Authentication Bypass WordPress
NVD Exploit-DB
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Privilege escalation in Plainpad versions prior to 1.1.1 allows any authenticated user to immediately grant themselves administrator privileges via a single HTTP PUT request to the user update endpoint. The vulnerability stems from the API directly accepting the admin parameter from user input without verifying the requesting user's existing privilege level. Affected instances enable low-privilege accounts to bypass authorization controls and access admin-only functionality with no special conditions beyond basic authentication. No public exploit code or active exploitation confirmed at time of analysis, though exploitation requires minimal technical skill given the straightforward attack vector (CVSS AV:N/AC:L/PR:L).

Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Path traversal in SharpCompress `WriteToDirectory()` allows malicious ZIP and TAR archives to create directories outside the intended extraction root via relative (`../../`) and absolute path (`/tmp/`) overrides in the directory-entry fast-path. TAR archives can be further escalated to arbitrary file writes when callers implement `SymbolicLinkHandler` without validating symlink targets, enabling an attacker to write files anywhere on the filesystem subject to process permissions. CVSS 5.9 reflects moderate severity; real-world impact depends on whether the application extracts untrusted archives and implements symlink handling.

Privilege Escalation Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users. ### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1 ### Workarounds None.

Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 3.8
LOW Monitor

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.

Authentication Bypass Privilege Escalation Avo
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Privilege escalation in Suite Numérique People prior to version 1.25.0 allows authenticated domain administrators to remotely promote any existing user to Owner role via a crafted invitation request, without requiring acceptance from the target user. The vulnerability requires valid Administrator credentials on a mail domain but grants immediate full domain ownership, creating a severe lateral privilege escalation risk within multi-tenant deployments.

Privilege Escalation People
NVD GitHub
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

SQL injection in MikroORM versions ≤7.0.13 (v7) and ≤6.6.13 (v6) allows authenticated attackers to execute arbitrary SQL queries by injecting malicious characters into schema names, JSON property filters, or query builder keys. The vulnerability stems from improper escaping of dialect-specific quote characters in identifier-quoting and JSON-path functions. Multi-tenant applications are at heightened risk of cross-tenant data leakage. Vendor-released patches are available: upgrade to 7.0.14 (v7) or 6.6.14 (v6). No public exploit identified at time of analysis, though the vulnerability was discovered during internal security review by the project maintainer.

PostgreSQL Privilege Escalation SQLi
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

Privilege Escalation Cpanel Cpanel Centos 6 Cloudlinux 6 +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Time-of-check-to-time-of-use (TOCTOU) race condition in Linux kernel's rust_binder implementation allows local authenticated attackers with low privileges to escalate privileges. The flaw exists in transaction offset array handling where values copied to a target process's read-only VMA are read back without protection against concurrent modification. If an attacker can write to their own supposedly read-only VMA through a separate vulnerability, they can modify offsets between write and read operations, causing the kernel to misinterpret transaction data and potentially enabling privilege escalation into the sending process. Patch available in kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% suggests limited real-world exploitation likelihood despite CVSS 7.8 severity.

Privilege Escalation Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Local privilege escalation in the Xen hypervisor, disclosed as one of five issues under Xen Security Advisory XSA-489 (alongside CVE-2026-23559/23560/23562/42486), lets a malicious or compromised guest run code with more privilege than intended and cross the guest/host trust boundary. The CVSS 4.0 vector (AV:L, scope-changed with high confidentiality, integrity and availability impact to subsequent systems) indicates a guest can affect the underlying host and other guests, consistent with the CWE-250 'execution with unnecessary privileges' root cause. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Privilege escalation in the Xen hypervisor (addressed in Xen Security Advisory XSA-489) allows an attacker executing within a guest VM to break isolation and compromise the underlying host, per its CVSS 4.0 subsequent-system impact of High across confidentiality, integrity, and availability. The flaw is rooted in execution with unnecessary privileges (CWE-250) and is one of several issues (CVE-2026-23559 through -23562 and CVE-2026-42486) disclosed together in XSA-489 v2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a CVSS 4.0 base score of 9.4 marks it as critical for multi-tenant virtualization environments.

Privilege Escalation
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Local privilege escalation in the Xen hypervisor, disclosed as part of Xen Security Advisory 489 (XSA-489, which bundles CVE-2026-23559 through CVE-2026-23562 and CVE-2026-42486), allows a malicious or compromised guest domain to break guest/host isolation and gain full control over the hypervisor and co-tenant guests. The CWE-250 (Execution with Unnecessary Privileges) root cause combined with the CVSS 4.0 scope-changed, high-impact-across-the-board vector (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates a guest-to-host escalation rather than a mere in-guest issue. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Privilege escalation in the Xen hypervisor (disclosed as XSA-489, CVE-2026-23559, one of a bundle of RB-tree/related flaws alongside CVE-2026-23560/23561/23562/42486) allows a malicious or compromised guest to escape guest confinement and compromise the host, with full confidentiality, integrity and availability impact on both the guest and the surrounding system. The CVSS 4.0 vector (9.4) indicates a local attack surface with scope-changed high subsequent-system impact, consistent with a guest-to-hypervisor escalation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; disclosure is currently pre-NVD via the oss-security mailing list.

Privilege Escalation
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Privilege escalation in the Xen hypervisor (tracked in Xen Security Advisory XSA-489, bundled with CVE-2026-23559 through CVE-2026-23562) allows a local attacker operating within a guest context to break isolation and gain control over the underlying host. The CWE-250 root cause (execution with unnecessary privileges) combined with a scope-changing CVSS 4.0 vector (9.4) means a compromised or malicious guest can impact the host and other co-resident guests. This was disclosed pre-NVD via the oss-security mailing list on 2026/04/29; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local attackers with standard user accounts can escalate to NT AUTHORITY\SYSTEM privileges in Acer PredatorSense V3 versions 3.00.3136 through 3.00.3196. The gaming utility software exposes a misconfigured Windows Named Pipe allowing arbitrary code execution and file deletion with SYSTEM privileges. CVSS 8.5 (High) reflects severe local impact with low complexity exploitation. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the technical details provided enable development of proof-of-concept code.

Privilege Escalation Microsoft RCE +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local attackers with standard user credentials can escalate privileges to NT AUTHORITY\SYSTEM in NAVER MYBOX Explorer for Windows through registry manipulation. The vulnerability affects versions prior to 3.0.11.160 and stems from improper privilege checks, allowing complete system control on compromised endpoints. EPSS risk is low at 0.02% (4th percentile), indicating minimal observed exploitation probability. No active exploitation has been reported and this vulnerability is not listed in CISA KEV.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Local privilege escalation in Akamai Guardicore Platform Agent 7.0-7.3.1 and Zero Trust Client 6.0-6.1.5 on Linux and macOS enables unprivileged users to gain root access through two distinct vectors: a TOCTOU race condition in the HandleSaveLogs() function that creates world-writable root-owned files via symlink manipulation in /tmp, and command injection in the gimmelogs diagnostic tool executing with root privileges. The vulnerability requires local access with high attack complexity (CVSS AC:H) but no authentication (PR:N), affecting endpoint security agents that typically run with elevated privileges. No active exploitation confirmed at time of analysis; EPSS data not available for this 2026 CVE identifier.

Privilege Escalation Microsoft Apple +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in FacturaScripts product search modal allows authenticated warehouse users to inject malicious JavaScript via product reference field, which executes in the browser of any user opening the search modal in sales or purchase documents. An attacker with warehouse write access can escalate privileges by executing arbitrary authenticated requests in an administrator's session, including creation of new admin accounts, without requiring the admin's password. The vulnerability exploits improper output encoding combined with HTML parser re-interpretation during innerHTML assignment.

XSS PHP Privilege Escalation
NVD GitHub VulDB
Prev Page 8 of 148 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy