Skip to main content

Privilege Escalation

13294 CVEs technique

Monthly

CVE-2026-42877 PHP MEDIUM GHSA This Month

Stored XSS in FacturaScripts product search modal allows authenticated warehouse users to inject malicious JavaScript via product reference field, which executes in the browser of any user opening the search modal in sales or purchase documents. An attacker with warehouse write access can escalate privileges by executing arbitrary authenticated requests in an administrator's session, including creation of new admin accounts, without requiring the admin's password. The vulnerability exploits improper output encoding combined with HTML parser re-interpretation during innerHTML assignment.

XSS PHP Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44406 MEDIUM This Month

DLL hijacking in ZTE Cloud PC client uSmartView allows unauthenticated local attackers to achieve arbitrary code execution and privilege escalation by planting a malicious DLL that is loaded by uSmartViewServiceAgent.exe running with SYSTEM privileges. The vulnerability requires local access but no authentication and affects multiple ZXCloud IRAI product versions. No public exploit code or active exploitation has been confirmed at this time.

Zte Privilege Escalation RCE Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-40004 MEDIUM This Month

ZTE Cloud PC client uSmartview contains an OpenSSL configuration file privilege escalation vulnerability (CVE-2026-40004) that allows authenticated local attackers with user-level privileges to execute arbitrary code and escalate to higher privilege levels through a malicious openssl.cnf file. This requires physical access or local system access combined with user interaction, and affects ZTE's virtualized desktop infrastructure product. The CVSS score of 5.5 reflects the physical attack vector and additional user interaction requirement, despite the severity of code execution and cross-system scope impact.

Zte Privilege Escalation RCE OpenSSL
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-42550 PHP HIGH PATCH GHSA This Week

SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.

Privilege Escalation PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42844 PHP HIGH PATCH GHSA This Week

Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.

Privilege Escalation PHP RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-43578 npm CRITICAL PATCH Act Now

Privilege escalation in OpenClaw 2026.3.31 through 2026.4.9 allows remote unauthenticated attackers to maintain elevated execution context by injecting malicious async completion events that bypass heartbeat owner-downgrade detection. The flaw stems from incomplete pattern matching in local background exec completion filtering, enabling attackers to submit untrusted completion content that prevents proper privilege de-escalation after operations complete. Vendor-released patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, but CVSS 9.1 critical rating reflects network-accessible attack surface with no authentication required.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-44304 PyPI HIGH PATCH GHSA This Week

LDAP filter injection in Netflix Lemur certificate management platform allows authenticated users with valid LDAP credentials to escalate privileges to administrator by injecting metacharacters into the username field during login. Attackers manipulate group membership queries to gain unauthorized admin roles, enabling access to all certificates, private keys via /certificates/<id>/key endpoint, and CA configurations. Vendor-released patch confirmed in version 1.9.0 (GitHub advisory GHSA-3r34-vq8m-39gh). CVSS 8.1 indicates high confidentiality and integrity impact with low attack complexity from network-authenticated attackers. No public exploit code identified at time of analysis, though detailed reproduction steps exist in the advisory.

Authentication Bypass Python Privilege Escalation LDAP Code Injection
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41936 HIGH PATCH This Week

XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.

XXE Privilege Escalation PHP
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2024-30151 HIGH This Week

HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-8007 HIGH PATCH This Week

Privilege escalation in Google Chrome's Cast component (versions prior to 148.0.7778.96) allows remote attackers to elevate from renderer to higher-privilege browser process via specially crafted HTML page after initial renderer compromise. Despite 7.5 CVSS score, Chromium security team rates this as Low severity, indicating limited real-world impact. Vendor patch released in version 148.0.7778.96. No public exploit identified at time of analysis.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7997 HIGH PATCH This Week

Local privilege escalation in Google Chrome's macOS Updater component allows attackers to gain OS-level administrative privileges through malicious files. The flaw affects Chrome versions prior to 148.0.7778.96 on macOS and requires user interaction to exploit. Google has released Chrome 148.0.7778.96 to address this vulnerability. Despite the 7.8 CVSS score, Google rates this as Low severity, reflecting the local attack vector and user interaction requirement that significantly constrain real-world exploitation scenarios.

Privilege Escalation Google Red Hat Suse Chrome
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7994 HIGH PATCH This Week

Local privilege escalation in Google Chrome Chromoting (prior to 148.0.7778.96) on Windows allows attackers to gain elevated OS-level privileges by tricking users into opening a malicious file. While CVSS scores this as high severity (7.8), real-world risk is tempered by local access and required user interaction (CVSS: AV:L/UI:R). Vendor patch available in version 148.0.7778.96 released May 2026. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Privilege Escalation Microsoft Google Red Hat Suse +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7990 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Windows updater component allows unprivileged users to gain SYSTEM-level access by exploiting insufficient input validation when the updater processes a specially crafted malicious file. Affects all Chrome versions on Windows prior to 148.0.7778.96. Google has released a patched version (148.0.7778.96). No active exploitation confirmed by CISA KEV at time of analysis, though the local attack vector and medium severity rating suggest potential for targeted attacks in enterprise environments where Chrome auto-update may be delayed.

Privilege Escalation Microsoft Google Red Hat Suse +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7978 HIGH PATCH This Week

OS-level privilege escalation in Google Chrome for macOS allows remote attackers to gain elevated system privileges through malicious network traffic exploiting the Companion component. Affects all Chrome versions prior to 148.0.7778.96 on Mac. Vendor-released patch available (Chrome 148.0.7778.96). No public exploit or active exploitation confirmed at time of analysis, though high-complexity network-based attack vector (CVSS AV:N/AC:H) suggests specialized exploitation requirements despite unauthenticated remote access.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-7977 MEDIUM PATCH This Month

Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-7971 MEDIUM PATCH This Month

Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-7948 HIGH PATCH This Week

Local privilege escalation in Google Chrome Chromoting (remote desktop component) allows authenticated Windows users to gain elevated system privileges through a race condition exploit triggered by a malicious file. Fixed in Chrome 148.0.7778.96. The vulnerability requires user interaction and high attack complexity (AC:H), limiting automated exploitation despite the 7.5 CVSS score. No public exploit identified at time of analysis, and not listed in CISA KEV.

Privilege Escalation Microsoft Race Condition Google Red Hat +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7930 HIGH PATCH This Week

Privilege escalation in Google Chrome versions prior to 148.0.7778.96 enables remote attackers to elevate privileges through malicious HTML pages exploiting improper cookie validation. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but no authentication, making it viable for phishing or watering-hole attacks. CVSS score of 8.8 indicates high severity across confidentiality, integrity, and availability. Vendor-released patch available in Chrome 148.0.7778.96 per Google's stable channel update. EPSS and KEV data not provided; exploitation status unknown at time of analysis.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7925 HIGH PATCH This Week

Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.

Denial Of Service Microsoft Use After Free Memory Corruption Privilege Escalation +4
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7913 HIGH PATCH This Week

Local privilege escalation in Google Chrome for Android prior to 148.0.7778.96 allows attackers to elevate privileges through malicious files exploiting insufficient policy enforcement in DevTools. The vulnerability requires user interaction to open a crafted file but grants no authentication requirement (PR:N) for the initial attack vector. Google released patch version 148.0.7778.96 addressing this high-severity flaw. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or non-widespread.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40001 MEDIUM This Month

Local privilege escalation in ZTE PROCESS Guard Service allows authenticated local users to escalate privileges and achieve arbitrary code execution through improper access control enforcement, affecting the cloud computer client. The vulnerability requires local access and authenticated user context but operates across system boundaries, potentially compromising system integrity. No active exploitation has been confirmed at time of analysis, though the combination of privilege escalation and RCE capability makes this a moderate-priority local threat.

Privilege Escalation RCE Zte Path Traversal
NVD
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-44218 PyPI LOW PATCH GHSA Monitor

The ciguard static analysis container image (versions 0.1.0-0.8.1) runs as root due to a missing USER directive in the Dockerfile, creating a privilege-escalation amplification risk for future container-runtime escape vulnerabilities. This is a defence-in-depth gap rather than a directly exploitable vulnerability; it reduces the impact of hypothetical escapes (such as runc CVE-2024-21626) from host-root compromise to non-root user compromise. Vendor-released patch in v0.8.2 adds a dedicated non-root ciguard user and USER directive, verified by container inspection and automated regression testing in v0.8.3.

Privilege Escalation Docker
NVD GitHub
CVSS 3.1
3.0
EPSS
0.0%
CVE-2026-42541 Go MEDIUM PATCH GHSA This Month

Kubewarden versions before 1.35.0 permit RBAC reconnaissance attacks when users with AdmissionPolicy or AdmissionPolicyGroup creation privileges craft policies using the unchecked `can_i` host capability. The vulnerability allows enumeration of any user or service account permissions across the cluster via SubjectAccessReview requests executed with policy-server privileges, despite the absence of context-aware resource grants. This information disclosure enables attackers to discover sensitive permission configurations without requiring cluster-wide policy creation rights, a capability not available by default but exploitable when granted.

Authentication Bypass Privilege Escalation Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42609 PHP HIGH PATCH GHSA This Week

Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.

Denial Of Service Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42613 PHP CRITICAL PATCH GHSA Act Now

Unauthenticated privilege escalation in Grav CMS Login plugin 3.8.0 allows remote attackers to self-register with admin.super privileges via missing server-side validation of groups and access fields. When administrators configure user registration with groups or access in allowed fields (a permitted UI action), attackers inject these fields into registration POST requests to bypass config-level defaults and gain full administrative access. Vendor-released patch: Login plugin 3.8.2 / Grav 2.0.0-beta.2 (commit 3d419a0). No public exploit identified at time of analysis, but the GitHub security advisory includes detailed proof-of-concept code demonstrating the attack.

Privilege Escalation PHP
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-42842 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig `|raw` filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.

XSS PHP Privilege Escalation
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42843 PHP HIGH PATCH GHSA This Week

Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.

Authentication Bypass Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42266 PyPI HIGH PATCH GHSA This Week

Privilege escalation in JupyterLab 4.0.0 through 4.5.6 allows authenticated users to bypass extension allow-list controls and install arbitrary PyPI packages, enabling potential data exfiltration and lateral movement in multi-tenant deployments. The PyPI Extension Manager failed to enforce the `allowed_extensions_uris` configuration, permitting installation of packages outside the approved list. This vulnerability is particularly critical in shared educational environments (JupyterHub) and multi-tenant deployments where kernel/terminal access is restricted. Vendor-released patch available in JupyterLab v4.5.7. No public exploit identified at time of analysis, though exploitation requires only authenticated access with low complexity (CVSS AC:L).

Python Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-34459 HIGH PATCH This Week

Stack buffer overflow in Sandboxie-Plus SbieSvc proxy service enables SYSTEM privilege escalation from sandboxed processes, including Security Hardened Sandboxes. Attackers chain an information disclosure (returning up to 32KB uninitialized stack memory with ASLR/stack cookie bypass) with an unbounded memcpy overflow in the GetRawInputDeviceInfoSlave IPC handler. Intel CET shadow stacks block ROP exploitation but not the information leak itself. Vendor-released patch available in version 1.17.3. No public exploit identified at time of analysis, but attack complexity is rated high (AC:H) with low privilege requirements (PR:L), making this viable for motivated attackers targeting sandbox environments.

Stack Overflow Microsoft Buffer Overflow Privilege Escalation Intel
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-34458 CRITICAL PATCH Act Now

INI injection in Sandboxie-Plus versions 1.17.2 and earlier enables any local low-privilege user to bypass EditAdminOnly and ConfigPassword protections, inject malicious directives into the global Sandboxie.ini file, create unrestricted sandbox sections, and escalate to SYSTEM privileges. The background service fails to authorize IPC messages for UserSettings_* sections and does not sanitize CRLF characters in MSGID_SBIE_INI_ADD_SETTING and MSGID_SBIE_INI_SET_SETTING parameters, allowing section header injection. Fixed in version 1.17.3 released by the vendor. No CISA KEV listing or public exploit identified at time of analysis, but technical details in GitHub advisory provide sufficient information for exploit development.

Privilege Escalation Microsoft
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-43874 PHP HIGH PATCH GHSA This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python XSS RCE +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-27960 PyPI CRITICAL PATCH Act Now

Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.

Authentication Bypass Privilege Escalation Opencti
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7778 MEDIUM PATCH This Month

Cross-organization dashboard configuration disclosure in runZero Platform allows authenticated users to view sensitive dashboard configurations outside their authorized organization scope via network requests. The vulnerability stems from improper privilege management (CWE-269) and affects versions prior to v4.0.260416.0, enabling authenticated attackers with low privileges to escalate access and view confidential configuration data across organizational boundaries.

Privilege Escalation Platform
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-43568 npm HIGH PATCH This Week

OpenClaw npm package versions 2026.4.5 through 2026.4.9 allow privilege escalation from write-scoped operators to administrator-level configuration access. Authenticated attackers with 'operator.write' gateway credentials can modify persistent memory dreaming settings via the /dreaming endpoint, bypassing intended admin-only restrictions. Vendor-released patch available (v2026.4.10); no active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-43566 npm CRITICAL PATCH Act Now

Privilege escalation in OpenClaw npm package versions 2026.4.7 through 2026.4.13 allows remote unauthenticated attackers to preserve elevated execution context by sending malicious webhook wake events. The heartbeat owner downgrade logic incorrectly skips validation of untrusted webhook payloads, enabling attackers to maintain owner-like privileges during runs that should operate with reduced permissions. Vendor-released patch available in version 2026.4.14. EPSS data not available; no public exploit identified at time of analysis, though VulnCheck and security researchers from KeenSecurityLab have confirmed the vulnerability through coordinated disclosure.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-43534 npm CRITICAL PATCH Act Now

Remote unauthenticated trust boundary violation in OpenClaw npm package before 2026.4.10 allows attackers to escalate untrusted external hook input into trusted system events. By supplying malicious hook metadata, adversaries can inject arbitrary content into the agent context with elevated privileges, bypassing security boundaries intended to isolate external input from system-level operations. Vendor-released patch available (version 2026.4.10+), with no evidence of active exploitation or public exploit code at time of analysis.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-13618 CRITICAL Act Now

Privilege escalation in Mentoring theme for WordPress (all versions ≤1.2.8) allows unauthenticated remote attackers to create administrator accounts via broken registration role validation in mentoring_process_registration(). The flaw bypasses normal WordPress role restrictions, enabling complete site takeover without requiring any authentication or user interaction. CVSS 9.8 (critical) with network attack vector and no complexity barriers. EPSS and KEV data not provided, but the combination of unauthenticated admin account creation represents an imminent site compromise risk for all installations with registration enabled.

Privilege Escalation WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7791 HIGH NEWS This Week

Local privilege escalation in Amazon WorkSpaces for Windows versions before 2.6.2034.0 enables authenticated low-privileged users to write arbitrary files to protected system locations, achieving SYSTEM-level access. The vulnerability exploits a race condition (CWE-367) in the Skylight Workspace Config Service's log rotation mechanism. No public exploit or active exploitation confirmed at time of analysis, but local access requirement limits attack surface to compromised user accounts or insider threats.

Privilege Escalation Microsoft
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42312 PyPI MEDIUM PATCH GHSA This Month

Non-admin users holding the SETTINGS permission in pyload-ng can disable TLS peer and hostname verification by setting general.ssl_verify=off via the set_config_value() API, enabling man-in-the-middle attacks on all outbound HTTPS requests including downloads, captcha fetches, and plugin calls. This is an incomplete fix for a series of prior allowlist bypasses (CVE-2026-33509, CVE-2026-35463, CVE-2026-35464, CVE-2026-35586) in which security-sensitive configuration options were omitted from the ADMIN_ONLY_CORE_OPTIONS allowlist.

Python SSRF Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-42571 Go CRITICAL PATCH GHSA Act Now

Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).

Authentication Bypass Privilege Escalation Denial Of Service Information Disclosure
NVD GitHub
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-42605 PHP HIGH PATCH GHSA This Week

Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.

Privilege Escalation PHP RCE Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-41258 Maven CRITICAL PATCH GHSA Act Now

Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.

Apache Tomcat Java RCE Privilege Escalation +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-42088 LIB CRITICAL PATCH Act Now

Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.

Privilege Escalation Redis Python Docker
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-58074 HIGH This Week

Norton Secure VPN installed via Microsoft Store allows low-privilege Windows users to escalate to SYSTEM-level privileges by replacing files during the installation process, causing arbitrary file deletion. Cisco Talos discovered this TOCTOU (Time-of-Check Time-of-Use) race condition in the installer. No public exploit code or active exploitation confirmed at time of analysis, but the local attack vector with low complexity (CVSS AC:L) makes this highly exploitable once installation details are known.

Microsoft Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24072 HIGH PATCH This Week

Local .htaccess authors can escalate privileges to read arbitrary files as the httpd daemon user in Apache HTTP Server 2.4.66 and earlier. The vulnerability requires low-privilege authenticated access to create or modify .htaccess files, but exploits misconfigured module interactions to bypass intended access controls. Apache has released version 2.4.67 to address this issue. SSVC assessment indicates no active exploitation and non-automatable attack vector, with EPSS data not yet available for this recent disclosure.

Privilege Escalation Apache Suse Red Hat Apache HTTP Server
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-20451 MEDIUM This Month

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege escalation to full system compromise when an attacker already holds System privilege. The vulnerability requires no user interaction and affects 32 MediaTek chipset models. CISA SSVC framework rates technical impact as total; however, EPSS score of 0.02% suggests limited real-world exploitation despite the high CVSS score of 6.7, likely due to the requirement for pre-existing System privilege.

Privilege Escalation Buffer Overflow Memory Corruption Mediatek Chipset
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20448 MEDIUM This Month

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission checks in geniezone allows attackers with System privilege to escalate their access without user interaction. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but EPSS score of 0.02% (4th percentile) and SSVC 'none' exploitation status indicate this vulnerability has not been observed in active, widespread exploitation despite the low barrier to exploitation from privileged context.

Privilege Escalation Mediatek Chipset
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20447 MEDIUM This Month

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors to achieve total system compromise across multiple chipset models. The vulnerability requires prior System-level access and affects 17 MediaTek chipset variants (MT6899, MT8791T, MT8786, MT6789, MT8367, MT6768, MT8766, MT6993, MT6991, MT6877, MT8788E, MT8781, MT8768, MT6989, MT8910, MT8196, MT8793). No public exploit code identified at time of analysis; exploitation remains unconfirmed in active systems despite SSVC indicating total technical impact potential.

Privilege Escalation Information Disclosure Buffer Overflow Mediatek Chipset
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-42368 CRITICAL Act Now

Privilege escalation in GeoVision LPC2011/LPC2211 1.10 web interface allows authenticated remote attackers to execute privileged operations via crafted HTTP requests. The vulnerability enables scope change (S:C) indicating potential escape from restricted web interface contexts to underlying system privileges. CVSS 9.9 (Critical) with low attack complexity and no user interaction required, making this exploitable by any authenticated user through simple web requests. No public exploit identified at time of analysis.

Privilege Escalation Gv Lpc2011 Lpc2211
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-42367 MEDIUM This Month

Privilege escalation in GeoVision LPC2011/LPC2211 Web Interface allows authenticated attackers to leak stored credentials via specially crafted HTTP requests to the ssi.cgi endpoint. The vulnerability affects firmware version 1.10 and requires low-privilege user access but no additional user interaction, enabling unauthenticated credential disclosure on affected devices.

Privilege Escalation Gv Lpc2011 Lpc2211
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-7641 HIGH This Week

Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.

Privilege Escalation WordPress PHP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6963 HIGH This Week

Missing capability check in WP Mail Gateway plugin for WordPress (versions ≤1.8) allows authenticated attackers with Subscriber-level privileges to modify SMTP settings via the wmg_save_provider_config AJAX action, enabling mail redirection. Attackers exploit this by redirecting password reset emails to attacker-controlled servers, then using intercepted credentials to escalate privileges to Administrator. CVSS 8.8 (High) reflects the severe impact despite requiring initial low-level authentication. No active exploitation confirmed via CISA KEV, but Wordfence reporting indicates discovery by security researchers and likely inclusion in their threat intelligence feeds.

Authentication Bypass WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-52347 HIGH This Week

Kernel memory access and privilege escalation in PassMark DirectIo64.sys driver affect BurnInTest 11.0 Build 1011, OSForensics 11.1 Build 1007, and PerformanceTest 11.1 Build 1004. Local authenticated attackers can send crafted IOCTL 0x8011E044 calls to the vulnerable driver to read arbitrary kernel memory and elevate privileges to SYSTEM level. Public exploit code is available in the researcher's GitHub repository. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation, though POC availability lowers the barrier for local attacks.

Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-37525 HIGH This Week

Local privilege escalation in Automotive Grade Linux (AGL) app-framework-binder (afb-daemon) through v19.90.0 allows authenticated users to execute arbitrary registered APIs with nullified credentials. The supervision Do command in src/afb-supervision.c explicitly zeroes request credentials before dispatching attacker-controlled API calls, causing authorization checks to fail open when encountering NULL credential contexts. This enables low-privileged users to bypass access controls and execute privileged operations. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis.

Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2311 MEDIUM PATCH This Month

IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.

Authentication Bypass IBM Privilege Escalation
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6389 HIGH PATCH This Week

Privilege escalation in IBM Turbonomic prometurbo agent allows compromised service accounts to exfiltrate cluster-wide Kubernetes secrets and achieve full cluster takeover. Affects versions 8.16.0 through 8.17.6 deployed in Kubernetes environments. The operator grants excessive RBAC permissions enabling unrestricted read access to all secrets cluster-wide. CVSS 8.8 indicates high severity with scope change to container/cluster level. No active exploitation confirmed (not in CISA KEV), but the attack path from service account compromise to cluster admin is well-understood in Kubernetes threat models.

Privilege Escalation IBM
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5174 HIGH PATCH This Week

Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privileges and cause high-impact denial of service across container boundaries. Affecting all versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, this network-accessible vulnerability with low attack complexity allows attackers to disrupt availability system-wide. Progress issued a Critical Security Alert Bulletin addressing this issue alongside CVE-2026-4670 in their April 2026 advisory. No public exploit identified at time of analysis, but the straightforward attack path (AV:N/AC:L/PR:L) and Changed scope indicate significant real-world risk for organizations running unpatched instances.

Privilege Escalation Moveit Automation
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-42235 npm HIGH PATCH GHSA This Week

Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. Successful exploitation enables session token theft, workflow manipulation, and privilege escalation. CVSS 8.2 (High) reflects the changed scope and complex attack chain requiring victim interaction across multiple user sessions. No public exploit or CISA KEV listing identified at time of analysis, but exploit development is straightforward given the clear attack vector.

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-30769 HIGH This Week

Local privilege escalation in EnTech Taiwan TVicPort v4.0 (driver v5.2.1.0) allows authenticated low-privileged users to gain SYSTEM privileges via crafted IOCTL 0x80002008 requests to the TVicPort64.sys kernel driver. The vulnerability stems from improper input validation (CWE-20) in IOCTL handling. Publicly available exploit code exists (GitHub gist), enabling straightforward elevation of privileges on systems with the driver installed. SSVC assessment indicates total technical impact with no active exploitation reported, though the low attack complexity and available POC present significant risk to environments using this I/O port access driver.

Privilege Escalation Tvicport
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-5141 HIGH PATCH This Week

Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process. This issue affects Pardus Software Center: before 1.0.3.

Privilege Escalation Pardus Software Center
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41220 HIGH PATCH This Week

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Buffer Overflow Memory Corruption Microsoft Privilege Escalation
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-41952 HIGH PATCH This Week

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Microsoft Privilege Escalation
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-25852 MEDIUM PATCH This Month

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212.

Microsoft Privilege Escalation
NVD
CVSS 3.0
6.7
EPSS
0.0%
CVE-2026-42432 npm HIGH PATCH GHSA This Week

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-42429 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-41404 npm HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw's trusted-proxy authentication mode allows low-privileged authenticated users to gain operator.admin privileges by declaring operator scopes on non-Control-UI clients. The incomplete scope-clearing mechanism fails to sanitize self-declared scopes when identity-bearing authentication paths process requests, enabling attackers to bypass authorization checks and achieve full administrative access. Vendor patch available via commit 8b88b927 in version 2026.3.31; no confirmed active exploitation (not in CISA KEV) but publicly disclosed with detailed GitHub security advisory increasing attack feasibility.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-41386 npm CRITICAL PATCH GHSA Act Now

Privilege escalation in OpenClaw allows remote unauthenticated attackers to elevate privileges beyond intended device roles during first-use pairing. The vulnerability stems from bootstrap setup codes lacking proper binding to device roles and scopes, enabling attackers to exploit the pairing process with low complexity and no user interaction. VulnCheck reported this issue, and a vendor patch is available as of 2026.3.22. While no active exploitation has been confirmed (not in CISA KEV), the network attack vector (AV:N) and absence of authentication requirements (PR:N) create significant exposure for organizations deploying new OpenClaw instances.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-41379 npm HIGH PATCH This Week

Privilege escalation in OpenClaw versions prior to 2026.3.28 enables authenticated operators with write permissions to modify administrator-only voice configuration settings through the chat.send endpoint. This vulnerability allows low-privileged operator accounts to manipulate sensitive Talk Voice configuration persistence, bypassing intended role-based access controls. A vendor-released patch is available via commit e34694733fc64931ed4a543c73d84ad3435d5df1. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, though the targeted nature (authenticated internal operators) suggests lower mass-exploitation risk than the CVSS 7.1 score might imply.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41378 npm HIGH PATCH GHSA This Week

Remote code execution in OpenClaw gateway versions before 2026.3.31 allows attackers with trusted paired node credentials (role=node) to escalate privileges and execute arbitrary code on the gateway by abusing unrestricted agent.request dispatch functionality. The vulnerability stems from insufficient access controls on node.event agent requests, enabling low-privilege paired nodes to invoke gateway-side tools without restriction. EPSS exploitation probability and KEV status not yet available for this recently disclosed vulnerability, but a vendor patch and exploit details are publicly documented.

Authentication Bypass Privilege Escalation RCE Openclaw
NVD GitHub
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-24178 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass in NVIDIA NVFlare Dashboard allows remote unauthenticated attackers to escalate privileges through user-controlled key manipulation in the authentication system. The vulnerability affects the NVIDIA Flare SDK and enables complete system compromise including arbitrary code execution, data tampering, information disclosure, and denial of service. With a CVSS score of 9.8 (critical severity) and maximum exploitability metrics (AV:N/AC:L/PR:N/UI:N), this represents a severe security flaw requiring immediate remediation, though no active exploitation (KEV) or public exploit code has been identified at time of analysis.

RCE Authentication Bypass Nvidia Information Disclosure Privilege Escalation +1
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-40968 Maven MEDIUM PATCH This Month

Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.

Java Privilege Escalation
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-40550 MEDIUM Monitor

mpGabinet 23.12.19 and earlier suffers from privilege escalation due to excessive database privileges assigned to the application service account. An attacker with local access to extract database credentials from the application process memory gains administrative database access, enabling unauthorized actions beyond what the application interface permits. CVSS 6.9 indicates high confidentiality impact from local access without authentication; no active exploitation confirmed in CISA KEV at time of analysis.

Privilege Escalation Mpgabinet
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41371 npm HIGH PATCH This Week

Privilege escalation in OpenClaw chat.send API allows low-privileged gateway callers with write scope to execute admin-only session management operations. Attackers can forcibly reset user sessions, rotate session IDs, and archive chat transcripts without admin authorization by exploiting broken access control in the chat messaging path. This enables session hijacking and data manipulation attacks against legitimate users. Reported by VulnCheck disclosure team with vendor security advisory published; no public exploit or active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-6741 HIGH This Week

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

WordPress Privilege Escalation Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-25908 MEDIUM PATCH This Month

Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary Privileges vulnerability in the AWCC. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

Privilege Escalation Dell
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-6970 Go HIGH POC PATCH GHSA This Week

authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user's primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user's identity provider record is updated, authd incorrectly resets the user's primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation.

Privilege Escalation Denial Of Service Authd
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-41464 HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

PHP Information Disclosure Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-6265 HIGH This Week

Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus FTP Server: 2026.1

Microsoft Privilege Escalation
NVD
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-25710 HIGH This Week

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/27. positories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new Follow @Openwall on Twitter for new release announcements and other news [<prev day] [month] [year] [list] oss-security mailing list - 2026/04/27 plasma-login-manager: Weaknesses in plasmaloginauthhelper (CVE-2026-25710) (Matthias Gerstner <mgerstner@...e.de>) 1 message Powered by blists - more mailing lists Please check out the Open Source Software Security Wiki , which is counterpart to this mailing list . Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guide

Privilege Escalation Suse
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-22337 CRITICAL PATCH Act Now

Remote unauthenticated attackers can escalate privileges to administrator level in Directorist Social Login WordPress plugin versions prior to 2.1.4 through incorrect privilege assignment during social authentication flows. Exploitation requires no authentication or user interaction, enabling complete site takeover via social login mechanisms. CVSS 9.8 (Critical) reflects network-based attack vector with no complexity barriers. No public exploit code or CISA KEV listing identified at time of analysis, but Patchstack reporting suggests vulnerability may be under researcher scrutiny.

Privilege Escalation Directorist Social Login
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-7106 HIGH This Week

Authenticated attackers with Subscriber-level privileges can escalate to Administrator role in Highland Software Custom Role Manager for WordPress via profile update exploitation. The hscrm_save_user_roles() function lacks capability checks on the personal_options_update hook, allowing low-privilege users to modify arbitrary user roles including their own. Version 1.0.1 released with authorization fixes. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, no CISA KEV listing identified, indicating limited widespread exploitation despite the severity of self-service privilege escalation to site administrator.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-69689 HIGH This Week

The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges.

Privilege Escalation
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41163 HIGH PATCH This Week

Privilege escalation in bubblewrap 0.11.x when installed setuid root allows local attackers to escape sandbox isolation via ptrace attachment during low-privileged setup phases. The vendor confirmed active exploitation risk by releasing emergency v0.11.2 patch and immediately deprecating setuid mode entirely. CVSS 8.7 severity reflects high integrity impact from sandbox breakout, though exploitation requires local access to a setuid-configured bubblewrap binary (non-default in most distributions).

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42044 npm CRITICAL POC PATCH GHSA Act Now

JSON response tampering in the Axios HTTP client (versions 1.0.0 up to but not including 1.15.2) lets an attacker who can already pollute Object.prototype in a Node.js or browser application escalate that primitive into surgical, invisible rewriting of every parsed JSON API response, enabling privilege escalation, balance manipulation, and authorization bypass. The default transformResponse passes a prototype-inherited parseReviver to JSON.parse, so a planted Object.prototype.parseReviver runs against every key-value pair of every response. Publicly available exploit code exists (a PoC gist), though EPSS is very low (0.03%, 8th percentile) and the issue is not in CISA KEV.

Node.js Privilege Escalation Axios
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-6912 HIGH PATCH This Week

Authenticated users with low privileges can escalate to deployment admin in AWS Ops Wheel (pre-PR #165) by manipulating the custom:deployment_admin attribute through crafted UpdateUserAttributes API calls to Cognito User Pool. This privilege escalation allows full control over Cognito user account management and deployment administration. Upstream fix available via GitHub PR #165; AWS security bulletin AMZN-2026-018 confirms patch availability. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 reflects critical impact across confidentiality, integrity, and availability.

Privilege Escalation Aws Ops Wheel
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-41068 Go HIGH PATCH GHSA This Week

Cross-namespace privilege escalation in Kyverno 1.17.x allows authenticated namespace administrators to bypass RBAC controls and read ConfigMaps from any Kubernetes namespace. The vulnerability exploits unvalidated `configMap.namespace` field in Kyverno's ConfigMap context loader, enabling attackers to leverage Kyverno's privileged service account permissions. This is a regression following incomplete fix for CVE-2026-22039, which addressed the same issue in `apiCall` context but missed the ConfigMap loader. Patch available in version 1.17.2. CVSS 7.7 with Changed Scope indicates significant multi-tenant cluster risk; EPSS data not available but the regression nature and RBAC bypass impact warrant immediate patching in multi-tenant environments.

Kubernetes Authentication Bypass Privilege Escalation Suse
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41359 npm HIGH PATCH GHSA This Week

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41344 npm MEDIUM PATCH This Month

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-40099 PHP MEDIUM PATCH GHSA This Month

### TL;DR This vulnerability affects all Kirby sites where users have the permission to create pages (`pages.create` permission is enabled) but not the permission to change the status of pages (`pages.changeStatus` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the page blueprint(s) or via a combination of both settings. Users' Kirby sites are *not* affected if their use case does not consider the creation of published pages a malicious action. The vulnerability can only be exploited by authenticated users. ---- ### Introduction An authorization bypass allows authenticated users to perform actions they should not be allowed to perform based on their configured permissions, thereby causing a privilege escalation. The effects of an authorization bypass can include unauthorized access to sensitive information as well as unauthorized changes to content or system information. ### Impact Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. ### Patches The problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts. ### Credits Kirby thanks @offset for responsibly reporting the identified issue.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-33318 npm HIGH PATCH GHSA This Week

### Summary Any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. --- ### Details **`packages/sync-server/src/app-account.js:120-132`** - the `/account/change-password` route validates only that a session exists. No admin role check is performed ```js app.post('/change-password', (req, res) => { const session = validateSession(req, res); // only checks token validity if (!session) return; const { error } = changePassword(req.body.password); // no isAdmin() check ``` **`packages/sync-server/src/accounts/password.js:113-125`** - `changePassword()` updates the hash with no current-password confirmation: ```js export function changePassword(newPassword) { accountDb.mutate("UPDATE auth SET extra_data = ? WHERE method = 'password'", [hashed]); } ``` **`packages/sync-server/src/accounts/password.js:56-62`** - `loginWithPassword()` always authenticates as the user with `user_name = ''`, which is created by the multiuser migration with `role = 'ADMIN'`: ```js const sessionRow = accountDb.first( 'SELECT * FROM sessions WHERE auth_method = ?', ['password'] ); ``` **`packages/sync-server/src/account-db.js:56-63`** - a client can force the `password` login method regardless of server configuration by sending `loginMethod` in the request body: ```js if (req.body.loginMethod && config.get('allowedLoginMethods').includes(req.body.loginMethod)) { return req.body.loginMethod; } ``` When a server is migrated from password → OpenID via `enableOpenID()`, the password row is set to `active = 0` but **never deleted**, leaving it available for exploitation. --- ### PoC **Prerequisites:** Server originally bootstrapped with password auth, then switched to OpenID. Default `allowedLoginMethods` configuration (includes `password`). Attacker has any valid OpenID session token (any role). ```bash # Step 1 - overwrite the password hash using a BASIC-role session curl -s -X POST https://<host>/account/change-password \ -H "Content-Type: application/json" \ -H "X-Actual-Token: <any_valid_session_token>" \ -d '{"password": "attacker123"}' # → {"status":"ok","data":{}} # Step 2 - log in via password method to obtain an ADMIN session curl -s -X POST https://<host>/account/login \ -H "Content-Type: application/json" \ -d '{"loginMethod": "password", "password": "attacker123"}' # → {"status":"ok","data":{"token":"<admin_token>"}} ``` The returned token belongs to the `user_name = ''` admin account (created by `1719409568000-multiuser.js`). Verify admin access: ```bash curl -s https://<host>/account/validate \ -H "X-Actual-Token: <admin_token>" # → {"status":"ok","data":{"permission":"ADMIN", ...}} ``` --- ### Impact **Privilege escalation** - any authenticated user can gain full `ADMIN` access on affected deployments. An ADMIN can manage all users, access all budget files regardless of ownership, modify file access controls, and change server configuration. Affected deployments: multi-user servers running OpenID Connect that were previously configured with password authentication. Servers bootstrapped exclusively with OpenID from initial setup are not affected (no password row exists in the `auth` table). --- ### Recommendations **1. Restrict `POST /account/change-password` to password-authenticated sessions only** (`packages/sync-server/src/app-account.js`) The endpoint should reject requests from sessions that were authenticated via OpenID. The active auth method can be checked against the session's `auth_method` field or by querying the `auth` table for the currently active method. If the server is running in OpenID mode, this endpoint should return `403 Forbidden`. **2. Require current-password confirmation before accepting a new password** (`packages/sync-server/src/accounts/password.js`) `changePassword()` should accept the current password as a parameter and verify it against the stored hash before applying the update. This prevents any session (even a legitimate password session) from silently overwriting the credential without proving possession of the existing one. **3. Enforce `active` status and remove client control over login method selection** (`packages/sync-server/src/account-db.js` - `getLoginMethod()`) Two issues exist in `getLoginMethod()`: (a) a client can supply `loginMethod` in the request body to select any method listed in `allowedLoginMethods`, regardless of whether it is currently active on the server; (b) the function does not check the `active` column, so an administratively disabled method (e.g. `password` after migrating to OpenID) remains accessible. The fix is to determine the permitted method server-side from `WHERE active = 1` in the `auth` table and ignore any client-supplied `loginMethod` override entirely. Servers intentionally running both methods simultaneously can be supported by allowing multiple `active = 1` rows rather than relying on client input. **4. Immediate mitigation for existing deployments (OpenID-only servers)** Administrators who have fully migrated to OpenID and do not need password auth can remove the orphaned row: ```sql DELETE FROM auth WHERE method = 'password'; ``` #### The three weaknesses form a single, sequential exploit chain - none produces privilege escalation on its own: Missing authorization on POST /change-password - allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration - provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" - allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation, which under CVE CNA rule 4.1.2 means they should not each be treated as standalone vulnerabilities. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. A single CVE reflecting that root cause is the appropriate representation - splitting them would falsely imply each carries independent risk.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in FacturaScripts product search modal allows authenticated warehouse users to inject malicious JavaScript via product reference field, which executes in the browser of any user opening the search modal in sales or purchase documents. An attacker with warehouse write access can escalate privileges by executing arbitrary authenticated requests in an administrator's session, including creation of new admin accounts, without requiring the admin's password. The vulnerability exploits improper output encoding combined with HTML parser re-interpretation during innerHTML assignment.

XSS PHP Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

DLL hijacking in ZTE Cloud PC client uSmartView allows unauthenticated local attackers to achieve arbitrary code execution and privilege escalation by planting a malicious DLL that is loaded by uSmartViewServiceAgent.exe running with SYSTEM privileges. The vulnerability requires local access but no authentication and affects multiple ZXCloud IRAI product versions. No public exploit code or active exploitation has been confirmed at this time.

Zte Privilege Escalation RCE +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

ZTE Cloud PC client uSmartview contains an OpenSSL configuration file privilege escalation vulnerability (CVE-2026-40004) that allows authenticated local attackers with user-level privileges to execute arbitrary code and escalate to higher privilege levels through a malicious openssl.cnf file. This requires physical access or local system access combined with user interaction, and affects ZTE's virtualized desktop infrastructure product. The CVSS score of 5.5 reflects the physical attack vector and additional user interaction requirement, despite the severity of code execution and cross-system scope impact.

Zte Privilege Escalation RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.

Privilege Escalation PHP SQLi
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.

Privilege Escalation PHP RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in OpenClaw 2026.3.31 through 2026.4.9 allows remote unauthenticated attackers to maintain elevated execution context by injecting malicious async completion events that bypass heartbeat owner-downgrade detection. The flaw stems from incomplete pattern matching in local background exec completion filtering, enabling attackers to submit untrusted completion content that prevents proper privilege de-escalation after operations complete. Vendor-released patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, but CVSS 9.1 critical rating reflects network-accessible attack surface with no authentication required.

Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

LDAP filter injection in Netflix Lemur certificate management platform allows authenticated users with valid LDAP credentials to escalate privileges to administrator by injecting metacharacters into the username field during login. Attackers manipulate group membership queries to gain unauthorized admin roles, enabling access to all certificates, private keys via /certificates/<id>/key endpoint, and CA configurations. Vendor-released patch confirmed in version 1.9.0 (GitHub advisory GHSA-3r34-vq8m-39gh). CVSS 8.1 indicates high confidentiality and integrity impact with low attack complexity from network-authenticated attackers. No public exploit code identified at time of analysis, though detailed reproduction steps exist in the advisory.

Authentication Bypass Python Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.

XXE Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome's Cast component (versions prior to 148.0.7778.96) allows remote attackers to elevate from renderer to higher-privilege browser process via specially crafted HTML page after initial renderer compromise. Despite 7.5 CVSS score, Chromium security team rates this as Low severity, indicating limited real-world impact. Vendor patch released in version 148.0.7778.96. No public exploit identified at time of analysis.

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's macOS Updater component allows attackers to gain OS-level administrative privileges through malicious files. The flaw affects Chrome versions prior to 148.0.7778.96 on macOS and requires user interaction to exploit. Google has released Chrome 148.0.7778.96 to address this vulnerability. Despite the 7.8 CVSS score, Google rates this as Low severity, reflecting the local attack vector and user interaction requirement that significantly constrain real-world exploitation scenarios.

Privilege Escalation Google Red Hat +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome Chromoting (prior to 148.0.7778.96) on Windows allows attackers to gain elevated OS-level privileges by tricking users into opening a malicious file. While CVSS scores this as high severity (7.8), real-world risk is tempered by local access and required user interaction (CVSS: AV:L/UI:R). Vendor patch available in version 148.0.7778.96 released May 2026. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Privilege Escalation Microsoft Google +3
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's Windows updater component allows unprivileged users to gain SYSTEM-level access by exploiting insufficient input validation when the updater processes a specially crafted malicious file. Affects all Chrome versions on Windows prior to 148.0.7778.96. Google has released a patched version (148.0.7778.96). No active exploitation confirmed by CISA KEV at time of analysis, though the local attack vector and medium severity rating suggest potential for targeted attacks in enterprise environments where Chrome auto-update may be delayed.

Privilege Escalation Microsoft Google +3
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

OS-level privilege escalation in Google Chrome for macOS allows remote attackers to gain elevated system privileges through malicious network traffic exploiting the Companion component. Affects all Chrome versions prior to 148.0.7778.96 on Mac. Vendor-released patch available (Chrome 148.0.7778.96). No public exploit or active exploitation confirmed at time of analysis, though high-complexity network-based attack vector (CVSS AV:N/AC:H) suggests specialized exploitation requirements despite unauthenticated remote access.

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local privilege escalation in Google Chrome Chromoting (remote desktop component) allows authenticated Windows users to gain elevated system privileges through a race condition exploit triggered by a malicious file. Fixed in Chrome 148.0.7778.96. The vulnerability requires user interaction and high attack complexity (AC:H), limiting automated exploitation despite the 7.5 CVSS score. No public exploit identified at time of analysis, and not listed in CISA KEV.

Privilege Escalation Microsoft Race Condition +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome versions prior to 148.0.7778.96 enables remote attackers to elevate privileges through malicious HTML pages exploiting improper cookie validation. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but no authentication, making it viable for phishing or watering-hole attacks. CVSS score of 8.8 indicates high severity across confidentiality, integrity, and availability. Vendor-released patch available in Chrome 148.0.7778.96 per Google's stable channel update. EPSS and KEV data not provided; exploitation status unknown at time of analysis.

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.

Denial Of Service Microsoft Use After Free +6
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome for Android prior to 148.0.7778.96 allows attackers to elevate privileges through malicious files exploiting insufficient policy enforcement in DevTools. The vulnerability requires user interaction to open a crafted file but grants no authentication requirement (PR:N) for the initial attack vector. Google released patch version 148.0.7778.96 addressing this high-severity flaw. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or non-widespread.

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 5.2
MEDIUM This Month

Local privilege escalation in ZTE PROCESS Guard Service allows authenticated local users to escalate privileges and achieve arbitrary code execution through improper access control enforcement, affecting the cloud computer client. The vulnerability requires local access and authenticated user context but operates across system boundaries, potentially compromising system integrity. No active exploitation has been confirmed at time of analysis, though the combination of privilege escalation and RCE capability makes this a moderate-priority local threat.

Privilege Escalation RCE Zte +1
NVD
EPSS 0% CVSS 3.0
LOW PATCH Monitor

The ciguard static analysis container image (versions 0.1.0-0.8.1) runs as root due to a missing USER directive in the Dockerfile, creating a privilege-escalation amplification risk for future container-runtime escape vulnerabilities. This is a defence-in-depth gap rather than a directly exploitable vulnerability; it reduces the impact of hypothetical escapes (such as runc CVE-2024-21626) from host-root compromise to non-root user compromise. Vendor-released patch in v0.8.2 adds a dedicated non-root ciguard user and USER directive, verified by container inspection and automated regression testing in v0.8.3.

Privilege Escalation Docker
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Kubewarden versions before 1.35.0 permit RBAC reconnaissance attacks when users with AdmissionPolicy or AdmissionPolicyGroup creation privileges craft policies using the unchecked `can_i` host capability. The vulnerability allows enumeration of any user or service account permissions across the cluster via SubjectAccessReview requests executed with policy-server privileges, despite the absence of context-aware resource grants. This information disclosure enables attackers to discover sensitive permission configurations without requiring cluster-wide policy creation rights, a capability not available by default but exploitable when granted.

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.

Denial Of Service Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Unauthenticated privilege escalation in Grav CMS Login plugin 3.8.0 allows remote attackers to self-register with admin.super privileges via missing server-side validation of groups and access fields. When administrators configure user registration with groups or access in allowed fields (a permitted UI action), attackers inject these fields into registration POST requests to bypass config-level defaults and gain full administrative access. Vendor-released patch: Login plugin 3.8.2 / Grav 2.0.0-beta.2 (commit 3d419a0). No public exploit identified at time of analysis, but the GitHub security advisory includes detailed proof-of-concept code demonstrating the attack.

Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig `|raw` filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.

XSS PHP Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.

Authentication Bypass Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in JupyterLab 4.0.0 through 4.5.6 allows authenticated users to bypass extension allow-list controls and install arbitrary PyPI packages, enabling potential data exfiltration and lateral movement in multi-tenant deployments. The PyPI Extension Manager failed to enforce the `allowed_extensions_uris` configuration, permitting installation of packages outside the approved list. This vulnerability is particularly critical in shared educational environments (JupyterHub) and multi-tenant deployments where kernel/terminal access is restricted. Vendor-released patch available in JupyterLab v4.5.7. No public exploit identified at time of analysis, though exploitation requires only authenticated access with low complexity (CVSS AC:L).

Python Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stack buffer overflow in Sandboxie-Plus SbieSvc proxy service enables SYSTEM privilege escalation from sandboxed processes, including Security Hardened Sandboxes. Attackers chain an information disclosure (returning up to 32KB uninitialized stack memory with ASLR/stack cookie bypass) with an unbounded memcpy overflow in the GetRawInputDeviceInfoSlave IPC handler. Intel CET shadow stacks block ROP exploitation but not the information leak itself. Vendor-released patch available in version 1.17.3. No public exploit identified at time of analysis, but attack complexity is rated high (AC:H) with low privilege requirements (PR:L), making this viable for motivated attackers targeting sandbox environments.

Stack Overflow Microsoft Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

INI injection in Sandboxie-Plus versions 1.17.2 and earlier enables any local low-privilege user to bypass EditAdminOnly and ConfigPassword protections, inject malicious directives into the global Sandboxie.ini file, create unrestricted sandbox sections, and escalate to SYSTEM privileges. The background service fails to authorize IPC messages for UserSettings_* sections and does not sanitize CRLF characters in MSGID_SBIE_INI_ADD_SETTING and MSGID_SBIE_INI_SET_SETTING parameters, allowing section header injection. Fixed in version 1.17.3 released by the vendor. No CISA KEV listing or public exploit identified at time of analysis, but technical details in GitHub advisory provide sufficient information for exploit development.

Privilege Escalation Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python +4
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.

Authentication Bypass Privilege Escalation Opencti
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Cross-organization dashboard configuration disclosure in runZero Platform allows authenticated users to view sensitive dashboard configurations outside their authorized organization scope via network requests. The vulnerability stems from improper privilege management (CWE-269) and affects versions prior to v4.0.260416.0, enabling authenticated attackers with low privileges to escalate access and view confidential configuration data across organizational boundaries.

Privilege Escalation Platform
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw npm package versions 2026.4.5 through 2026.4.9 allow privilege escalation from write-scoped operators to administrator-level configuration access. Authenticated attackers with 'operator.write' gateway credentials can modify persistent memory dreaming settings via the /dreaming endpoint, bypassing intended admin-only restrictions. Vendor-released patch available (v2026.4.10); no active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in OpenClaw npm package versions 2026.4.7 through 2026.4.13 allows remote unauthenticated attackers to preserve elevated execution context by sending malicious webhook wake events. The heartbeat owner downgrade logic incorrectly skips validation of untrusted webhook payloads, enabling attackers to maintain owner-like privileges during runs that should operate with reduced permissions. Vendor-released patch available in version 2026.4.14. EPSS data not available; no public exploit identified at time of analysis, though VulnCheck and security researchers from KeenSecurityLab have confirmed the vulnerability through coordinated disclosure.

Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Remote unauthenticated trust boundary violation in OpenClaw npm package before 2026.4.10 allows attackers to escalate untrusted external hook input into trusted system events. By supplying malicious hook metadata, adversaries can inject arbitrary content into the agent context with elevated privileges, bypassing security boundaries intended to isolate external input from system-level operations. Vendor-released patch available (version 2026.4.10+), with no evidence of active exploitation or public exploit code at time of analysis.

Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Mentoring theme for WordPress (all versions ≤1.2.8) allows unauthenticated remote attackers to create administrator accounts via broken registration role validation in mentoring_process_registration(). The flaw bypasses normal WordPress role restrictions, enabling complete site takeover without requiring any authentication or user interaction. CVSS 9.8 (critical) with network attack vector and no complexity barriers. EPSS and KEV data not provided, but the combination of unauthenticated admin account creation represents an imminent site compromise risk for all installations with registration enabled.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Amazon WorkSpaces for Windows versions before 2.6.2034.0 enables authenticated low-privileged users to write arbitrary files to protected system locations, achieving SYSTEM-level access. The vulnerability exploits a race condition (CWE-367) in the Skylight Workspace Config Service's log rotation mechanism. No public exploit or active exploitation confirmed at time of analysis, but local access requirement limits attack surface to compromised user accounts or insider threats.

Privilege Escalation Microsoft
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Non-admin users holding the SETTINGS permission in pyload-ng can disable TLS peer and hostname verification by setting general.ssl_verify=off via the set_config_value() API, enabling man-in-the-middle attacks on all outbound HTTPS requests including downloads, captcha fetches, and plugin calls. This is an incomplete fix for a series of prior allowlist bypasses (CVE-2026-33509, CVE-2026-35463, CVE-2026-35464, CVE-2026-35586) in which security-sensitive configuration options were omitted from the ADMIN_ONLY_CORE_OPTIONS allowlist.

Python SSRF Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).

Authentication Bypass Privilege Escalation Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.

Privilege Escalation PHP RCE +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.

Apache Tomcat Java +3
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.

Privilege Escalation Redis Python +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Norton Secure VPN installed via Microsoft Store allows low-privilege Windows users to escalate to SYSTEM-level privileges by replacing files during the installation process, causing arbitrary file deletion. Cisco Talos discovered this TOCTOU (Time-of-Check Time-of-Use) race condition in the installer. No public exploit code or active exploitation confirmed at time of analysis, but the local attack vector with low complexity (CVSS AC:L) makes this highly exploitable once installation details are known.

Microsoft Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local .htaccess authors can escalate privileges to read arbitrary files as the httpd daemon user in Apache HTTP Server 2.4.66 and earlier. The vulnerability requires low-privilege authenticated access to create or modify .htaccess files, but exploits misconfigured module interactions to bypass intended access controls. Apache has released version 2.4.67 to address this issue. SSVC assessment indicates no active exploitation and non-automatable attack vector, with EPSS data not yet available for this recent disclosure.

Privilege Escalation Apache Suse +2
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM This Month

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege escalation to full system compromise when an attacker already holds System privilege. The vulnerability requires no user interaction and affects 32 MediaTek chipset models. CISA SSVC framework rates technical impact as total; however, EPSS score of 0.02% suggests limited real-world exploitation despite the high CVSS score of 6.7, likely due to the requirement for pre-existing System privilege.

Privilege Escalation Buffer Overflow Memory Corruption +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission checks in geniezone allows attackers with System privilege to escalate their access without user interaction. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but EPSS score of 0.02% (4th percentile) and SSVC 'none' exploitation status indicate this vulnerability has not been observed in active, widespread exploitation despite the low barrier to exploitation from privileged context.

Privilege Escalation Mediatek Chipset
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors to achieve total system compromise across multiple chipset models. The vulnerability requires prior System-level access and affects 17 MediaTek chipset variants (MT6899, MT8791T, MT8786, MT6789, MT8367, MT6768, MT8766, MT6993, MT6991, MT6877, MT8788E, MT8781, MT8768, MT6989, MT8910, MT8196, MT8793). No public exploit code identified at time of analysis; exploitation remains unconfirmed in active systems despite SSVC indicating total technical impact potential.

Privilege Escalation Information Disclosure Buffer Overflow +1
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation in GeoVision LPC2011/LPC2211 1.10 web interface allows authenticated remote attackers to execute privileged operations via crafted HTTP requests. The vulnerability enables scope change (S:C) indicating potential escape from restricted web interface contexts to underlying system privileges. CVSS 9.9 (Critical) with low attack complexity and no user interaction required, making this exploitable by any authenticated user through simple web requests. No public exploit identified at time of analysis.

Privilege Escalation Gv Lpc2011 Lpc2211
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Privilege escalation in GeoVision LPC2011/LPC2211 Web Interface allows authenticated attackers to leak stored credentials via specially crafted HTTP requests to the ssi.cgi endpoint. The vulnerability affects firmware version 1.10 and requires low-privilege user access but no additional user interaction, enabling unauthenticated credential disclosure on affected devices.

Privilege Escalation Gv Lpc2011 Lpc2211
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.

Privilege Escalation WordPress PHP
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Missing capability check in WP Mail Gateway plugin for WordPress (versions ≤1.8) allows authenticated attackers with Subscriber-level privileges to modify SMTP settings via the wmg_save_provider_config AJAX action, enabling mail redirection. Attackers exploit this by redirecting password reset emails to attacker-controlled servers, then using intercepted credentials to escalate privileges to Administrator. CVSS 8.8 (High) reflects the severe impact despite requiring initial low-level authentication. No active exploitation confirmed via CISA KEV, but Wordfence reporting indicates discovery by security researchers and likely inclusion in their threat intelligence feeds.

Authentication Bypass WordPress Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Kernel memory access and privilege escalation in PassMark DirectIo64.sys driver affect BurnInTest 11.0 Build 1011, OSForensics 11.1 Build 1007, and PerformanceTest 11.1 Build 1004. Local authenticated attackers can send crafted IOCTL 0x8011E044 calls to the vulnerable driver to read arbitrary kernel memory and elevate privileges to SYSTEM level. Public exploit code is available in the researcher's GitHub repository. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation, though POC availability lowers the barrier for local attacks.

Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Automotive Grade Linux (AGL) app-framework-binder (afb-daemon) through v19.90.0 allows authenticated users to execute arbitrary registered APIs with nullified credentials. The supervision Do command in src/afb-supervision.c explicitly zeroes request credentials before dispatching attacker-controlled API calls, causing authorization checks to fail open when encountering NULL credential contexts. This enables low-privileged users to bypass access controls and execute privileged operations. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis.

Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.

Authentication Bypass IBM Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in IBM Turbonomic prometurbo agent allows compromised service accounts to exfiltrate cluster-wide Kubernetes secrets and achieve full cluster takeover. Affects versions 8.16.0 through 8.17.6 deployed in Kubernetes environments. The operator grants excessive RBAC permissions enabling unrestricted read access to all secrets cluster-wide. CVSS 8.8 indicates high severity with scope change to container/cluster level. No active exploitation confirmed (not in CISA KEV), but the attack path from service account compromise to cluster admin is well-understood in Kubernetes threat models.

Privilege Escalation IBM
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privileges and cause high-impact denial of service across container boundaries. Affecting all versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, this network-accessible vulnerability with low attack complexity allows attackers to disrupt availability system-wide. Progress issued a Critical Security Alert Bulletin addressing this issue alongside CVE-2026-4670 in their April 2026 advisory. No public exploit identified at time of analysis, but the straightforward attack path (AV:N/AC:L/PR:L) and Changed scope indicate significant real-world risk for organizations running unpatched instances.

Privilege Escalation Moveit Automation
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. Successful exploitation enables session token theft, workflow manipulation, and privilege escalation. CVSS 8.2 (High) reflects the changed scope and complex attack chain requiring victim interaction across multiple user sessions. No public exploit or CISA KEV listing identified at time of analysis, but exploit development is straightforward given the clear attack vector.

Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in EnTech Taiwan TVicPort v4.0 (driver v5.2.1.0) allows authenticated low-privileged users to gain SYSTEM privileges via crafted IOCTL 0x80002008 requests to the TVicPort64.sys kernel driver. The vulnerability stems from improper input validation (CWE-20) in IOCTL handling. Publicly available exploit code exists (GitHub gist), enabling straightforward elevation of privileges on systems with the driver installed. SSVC assessment indicates total technical impact with no active exploitation reported, though the low attack complexity and available POC present significant risk to environments using this I/O port access driver.

Privilege Escalation Tvicport
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process. This issue affects Pardus Software Center: before 1.0.3.

Privilege Escalation Pardus Software Center
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Buffer Overflow Memory Corruption Microsoft +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Microsoft Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212.

Microsoft Privilege Escalation
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation in OpenClaw's trusted-proxy authentication mode allows low-privileged authenticated users to gain operator.admin privileges by declaring operator scopes on non-Control-UI clients. The incomplete scope-clearing mechanism fails to sanitize self-declared scopes when identity-bearing authentication paths process requests, enabling attackers to bypass authorization checks and achieve full administrative access. Vendor patch available via commit 8b88b927 in version 2026.3.31; no confirmed active exploitation (not in CISA KEV) but publicly disclosed with detailed GitHub security advisory increasing attack feasibility.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in OpenClaw allows remote unauthenticated attackers to elevate privileges beyond intended device roles during first-use pairing. The vulnerability stems from bootstrap setup codes lacking proper binding to device roles and scopes, enabling attackers to exploit the pairing process with low complexity and no user interaction. VulnCheck reported this issue, and a vendor patch is available as of 2026.3.22. While no active exploitation has been confirmed (not in CISA KEV), the network attack vector (AV:N) and absence of authentication requirements (PR:N) create significant exposure for organizations deploying new OpenClaw instances.

Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in OpenClaw versions prior to 2026.3.28 enables authenticated operators with write permissions to modify administrator-only voice configuration settings through the chat.send endpoint. This vulnerability allows low-privileged operator accounts to manipulate sensitive Talk Voice configuration persistence, bypassing intended role-based access controls. A vendor-released patch is available via commit e34694733fc64931ed4a543c73d84ad3435d5df1. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, though the targeted nature (authenticated internal operators) suggests lower mass-exploitation risk than the CVSS 7.1 score might imply.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Remote code execution in OpenClaw gateway versions before 2026.3.31 allows attackers with trusted paired node credentials (role=node) to escalate privileges and execute arbitrary code on the gateway by abusing unrestricted agent.request dispatch functionality. The vulnerability stems from insufficient access controls on node.event agent requests, enabling low-privilege paired nodes to invoke gateway-side tools without restriction. EPSS exploitation probability and KEV status not yet available for this recently disclosed vulnerability, but a vendor patch and exploit details are publicly documented.

Authentication Bypass Privilege Escalation RCE +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in NVIDIA NVFlare Dashboard allows remote unauthenticated attackers to escalate privileges through user-controlled key manipulation in the authentication system. The vulnerability affects the NVIDIA Flare SDK and enables complete system compromise including arbitrary code execution, data tampering, information disclosure, and denial of service. With a CVSS score of 9.8 (critical severity) and maximum exploitability metrics (AV:N/AC:L/PR:N/UI:N), this represents a severe security flaw requiring immediate remediation, though no active exploitation (KEV) or public exploit code has been identified at time of analysis.

RCE Authentication Bypass Nvidia +3
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.

Java Privilege Escalation
NVD
EPSS 0% CVSS 6.9
MEDIUM Monitor

mpGabinet 23.12.19 and earlier suffers from privilege escalation due to excessive database privileges assigned to the application service account. An attacker with local access to extract database credentials from the application process memory gains administrative database access, enabling unauthorized actions beyond what the application interface permits. CVSS 6.9 indicates high confidentiality impact from local access without authentication; no active exploitation confirmed in CISA KEV at time of analysis.

Privilege Escalation Mpgabinet
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Privilege escalation in OpenClaw chat.send API allows low-privileged gateway callers with write scope to execute admin-only session management operations. Attackers can forcibly reset user sessions, rotate session IDs, and archive chat transcripts without admin authorization by exploiting broken access control in the chat messaging path. This enables session hijacking and data manipulation attacks against legitimate users. Reported by VulnCheck disclosure team with vendor security advisory published; no public exploit or active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

WordPress Privilege Escalation Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary Privileges vulnerability in the AWCC. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

Privilege Escalation Dell
NVD
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user's primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user's identity provider record is updated, authd incorrectly resets the user's primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation.

Privilege Escalation Denial Of Service Authd
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

PHP Information Disclosure Authentication Bypass +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus FTP Server: 2026.1

Microsoft Privilege Escalation
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/27. positories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new Follow @Openwall on Twitter for new release announcements and other news [<prev day] [month] [year] [list] oss-security mailing list - 2026/04/27 plasma-login-manager: Weaknesses in plasmaloginauthhelper (CVE-2026-25710) (Matthias Gerstner <mgerstner@...e.de>) 1 message Powered by blists - more mailing lists Please check out the Open Source Software Security Wiki , which is counterpart to this mailing list . Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guide

Privilege Escalation Suse
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote unauthenticated attackers can escalate privileges to administrator level in Directorist Social Login WordPress plugin versions prior to 2.1.4 through incorrect privilege assignment during social authentication flows. Exploitation requires no authentication or user interaction, enabling complete site takeover via social login mechanisms. CVSS 9.8 (Critical) reflects network-based attack vector with no complexity barriers. No public exploit code or CISA KEV listing identified at time of analysis, but Patchstack reporting suggests vulnerability may be under researcher scrutiny.

Privilege Escalation Directorist Social Login
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated attackers with Subscriber-level privileges can escalate to Administrator role in Highland Software Custom Role Manager for WordPress via profile update exploitation. The hscrm_save_user_roles() function lacks capability checks on the personal_options_update hook, allowing low-privilege users to modify arbitrary user roles including their own. Version 1.0.1 released with authorization fixes. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, no CISA KEV listing identified, indicating limited widespread exploitation despite the severity of self-service privilege escalation to site administrator.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges.

Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in bubblewrap 0.11.x when installed setuid root allows local attackers to escape sandbox isolation via ptrace attachment during low-privileged setup phases. The vendor confirmed active exploitation risk by releasing emergency v0.11.2 patch and immediately deprecating setuid mode entirely. CVSS 8.7 severity reflects high integrity impact from sandbox breakout, though exploitation requires local access to a setuid-configured bubblewrap binary (non-default in most distributions).

Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

JSON response tampering in the Axios HTTP client (versions 1.0.0 up to but not including 1.15.2) lets an attacker who can already pollute Object.prototype in a Node.js or browser application escalate that primitive into surgical, invisible rewriting of every parsed JSON API response, enabling privilege escalation, balance manipulation, and authorization bypass. The default transformResponse passes a prototype-inherited parseReviver to JSON.parse, so a planted Object.prototype.parseReviver runs against every key-value pair of every response. Publicly available exploit code exists (a PoC gist), though EPSS is very low (0.03%, 8th percentile) and the issue is not in CISA KEV.

Node.js Privilege Escalation Axios
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authenticated users with low privileges can escalate to deployment admin in AWS Ops Wheel (pre-PR #165) by manipulating the custom:deployment_admin attribute through crafted UpdateUserAttributes API calls to Cognito User Pool. This privilege escalation allows full control over Cognito user account management and deployment administration. Upstream fix available via GitHub PR #165; AWS security bulletin AMZN-2026-018 confirms patch availability. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 reflects critical impact across confidentiality, integrity, and availability.

Privilege Escalation Aws Ops Wheel
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-namespace privilege escalation in Kyverno 1.17.x allows authenticated namespace administrators to bypass RBAC controls and read ConfigMaps from any Kubernetes namespace. The vulnerability exploits unvalidated `configMap.namespace` field in Kyverno's ConfigMap context loader, enabling attackers to leverage Kyverno's privileged service account permissions. This is a regression following incomplete fix for CVE-2026-22039, which addressed the same issue in `apiCall` context but missed the ConfigMap loader. Patch available in version 1.17.2. CVSS 7.7 with Changed Scope indicates significant multi-tenant cluster risk; EPSS data not available but the regression nature and RBAC bypass impact warrant immediate patching in multi-tenant environments.

Kubernetes Authentication Bypass Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.

Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

### TL;DR This vulnerability affects all Kirby sites where users have the permission to create pages (`pages.create` permission is enabled) but not the permission to change the status of pages (`pages.changeStatus` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the page blueprint(s) or via a combination of both settings. Users' Kirby sites are *not* affected if their use case does not consider the creation of published pages a malicious action. The vulnerability can only be exploited by authenticated users. ---- ### Introduction An authorization bypass allows authenticated users to perform actions they should not be allowed to perform based on their configured permissions, thereby causing a privilege escalation. The effects of an authorization bypass can include unauthorized access to sensitive information as well as unauthorized changes to content or system information. ### Impact Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. ### Patches The problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts. ### Credits Kirby thanks @offset for responsibly reporting the identified issue.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

### Summary Any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. --- ### Details **`packages/sync-server/src/app-account.js:120-132`** - the `/account/change-password` route validates only that a session exists. No admin role check is performed ```js app.post('/change-password', (req, res) => { const session = validateSession(req, res); // only checks token validity if (!session) return; const { error } = changePassword(req.body.password); // no isAdmin() check ``` **`packages/sync-server/src/accounts/password.js:113-125`** - `changePassword()` updates the hash with no current-password confirmation: ```js export function changePassword(newPassword) { accountDb.mutate("UPDATE auth SET extra_data = ? WHERE method = 'password'", [hashed]); } ``` **`packages/sync-server/src/accounts/password.js:56-62`** - `loginWithPassword()` always authenticates as the user with `user_name = ''`, which is created by the multiuser migration with `role = 'ADMIN'`: ```js const sessionRow = accountDb.first( 'SELECT * FROM sessions WHERE auth_method = ?', ['password'] ); ``` **`packages/sync-server/src/account-db.js:56-63`** - a client can force the `password` login method regardless of server configuration by sending `loginMethod` in the request body: ```js if (req.body.loginMethod && config.get('allowedLoginMethods').includes(req.body.loginMethod)) { return req.body.loginMethod; } ``` When a server is migrated from password → OpenID via `enableOpenID()`, the password row is set to `active = 0` but **never deleted**, leaving it available for exploitation. --- ### PoC **Prerequisites:** Server originally bootstrapped with password auth, then switched to OpenID. Default `allowedLoginMethods` configuration (includes `password`). Attacker has any valid OpenID session token (any role). ```bash # Step 1 - overwrite the password hash using a BASIC-role session curl -s -X POST https://<host>/account/change-password \ -H "Content-Type: application/json" \ -H "X-Actual-Token: <any_valid_session_token>" \ -d '{"password": "attacker123"}' # → {"status":"ok","data":{}} # Step 2 - log in via password method to obtain an ADMIN session curl -s -X POST https://<host>/account/login \ -H "Content-Type: application/json" \ -d '{"loginMethod": "password", "password": "attacker123"}' # → {"status":"ok","data":{"token":"<admin_token>"}} ``` The returned token belongs to the `user_name = ''` admin account (created by `1719409568000-multiuser.js`). Verify admin access: ```bash curl -s https://<host>/account/validate \ -H "X-Actual-Token: <admin_token>" # → {"status":"ok","data":{"permission":"ADMIN", ...}} ``` --- ### Impact **Privilege escalation** - any authenticated user can gain full `ADMIN` access on affected deployments. An ADMIN can manage all users, access all budget files regardless of ownership, modify file access controls, and change server configuration. Affected deployments: multi-user servers running OpenID Connect that were previously configured with password authentication. Servers bootstrapped exclusively with OpenID from initial setup are not affected (no password row exists in the `auth` table). --- ### Recommendations **1. Restrict `POST /account/change-password` to password-authenticated sessions only** (`packages/sync-server/src/app-account.js`) The endpoint should reject requests from sessions that were authenticated via OpenID. The active auth method can be checked against the session's `auth_method` field or by querying the `auth` table for the currently active method. If the server is running in OpenID mode, this endpoint should return `403 Forbidden`. **2. Require current-password confirmation before accepting a new password** (`packages/sync-server/src/accounts/password.js`) `changePassword()` should accept the current password as a parameter and verify it against the stored hash before applying the update. This prevents any session (even a legitimate password session) from silently overwriting the credential without proving possession of the existing one. **3. Enforce `active` status and remove client control over login method selection** (`packages/sync-server/src/account-db.js` - `getLoginMethod()`) Two issues exist in `getLoginMethod()`: (a) a client can supply `loginMethod` in the request body to select any method listed in `allowedLoginMethods`, regardless of whether it is currently active on the server; (b) the function does not check the `active` column, so an administratively disabled method (e.g. `password` after migrating to OpenID) remains accessible. The fix is to determine the permitted method server-side from `WHERE active = 1` in the `auth` table and ignore any client-supplied `loginMethod` override entirely. Servers intentionally running both methods simultaneously can be supported by allowing multiple `active = 1` rows rather than relying on client input. **4. Immediate mitigation for existing deployments (OpenID-only servers)** Administrators who have fully migrated to OpenID and do not need password auth can remove the orphaned row: ```sql DELETE FROM auth WHERE method = 'password'; ``` #### The three weaknesses form a single, sequential exploit chain - none produces privilege escalation on its own: Missing authorization on POST /change-password - allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration - provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" - allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation, which under CVE CNA rule 4.1.2 means they should not each be treated as standalone vulnerabilities. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. A single CVE reflecting that root cause is the appropriate representation - splitting them would falsely imply each carries independent risk.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
Prev Page 9 of 148 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy