Skip to main content

Privilege Escalation

auth HIGH

Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted.

How It Works

Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted. The attack exploits the gap between what the system thinks a user can do and what they actually can do through manipulation or exploitation.

Vertical escalation is the classic form—a regular user obtaining administrator rights. This happens through kernel exploits that bypass OS-level security, misconfigurations in role-based access control (RBAC) that fail to enforce boundaries, or direct manipulation of authorization tokens and session data. Horizontal escalation involves accessing resources belonging to users at the same privilege level, typically through insecure direct object references (IDOR) where changing an ID in a request grants access to another user's data.

Context-dependent escalation exploits workflow logic by skipping authorization checkpoints. An attacker might access administrative URLs directly without going through proper authentication flows, manipulate parameters to bypass permission checks, or exploit REST API endpoints that don't validate method permissions—like a read-only GET permission that can be leveraged for write operations through protocol upgrades or alternative endpoints.

Impact

  • Full system compromise through kernel-level exploits granting root or SYSTEM privileges
  • Administrative control over applications, allowing configuration changes, user management, and deployment of malicious code
  • Lateral movement across cloud infrastructure, containers, or network segments using escalated service account permissions
  • Data exfiltration by accessing databases, file systems, or API endpoints restricted to higher privilege levels
  • Persistence establishment through creation of backdoor accounts or modification of system configurations

Real-World Examples

Kubernetes clusters have been compromised through kubelet API misconfigurations where read-only GET permissions on worker nodes could be escalated to remote code execution. Attackers upgraded HTTP connections to WebSockets to access the /exec endpoint, gaining shell access to all pods on the node. This affected over 69 Helm charts including widely-deployed monitoring tools like Prometheus, Grafana, and Datadog agents.

Windows Print Spooler vulnerabilities (PrintNightmare class) allowed authenticated users to execute arbitrary code with SYSTEM privileges by exploiting improper privilege checks in the print service. Attackers loaded malicious DLLs through carefully crafted print jobs, escalating from low-privilege user accounts to full domain administrator access.

Cloud metadata services have been exploited where SSRF vulnerabilities combined with over-permissioned IAM roles allowed attackers to retrieve temporary credentials with elevated permissions, pivoting from compromised web applications to broader cloud infrastructure access.

Mitigation

  • Enforce deny-by-default access control where permissions must be explicitly granted rather than implicitly allowed
  • Implement consistent authorization checks at every layer—API gateway, application logic, and data access—never relying on client-side or single-point validation
  • Apply principle of least privilege with time-limited, scope-restricted permissions and just-in-time access for administrative functions
  • Audit permission inheritance and role assignments regularly to identify overly permissive configurations or privilege creep
  • Separate execution contexts using containers, sandboxes, or capability-based security to limit blast radius
  • Deploy runtime monitoring for unusual privilege usage patterns and anomalous access to restricted resources

Recent CVEs (13302)

EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.

XSS Privilege Escalation Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe).

Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions.

Privilege Escalation RCE Microsoft
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

A privilege escalation vulnerability in Wowza Streaming Engine 4.5.0 allows authenticated read-only users to elevate their privileges to administrator level by manipulating POST parameters (accessLevel='admin', advUser='true'/'on') sent to the user edit endpoint. A public exploit is available on exploit-db, though the vulnerability has not been added to CISA's KEV catalog, suggesting limited real-world exploitation despite the high CVSS score of 8.8.

Privilege Escalation CSRF Wowza Streaming Engine
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.8
HIGH POC This Week

Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability where authenticated users can gain SYSTEM-level access by replacing service executables due to overly permissive file permissions that grant the Everyone group full control. A public proof-of-concept exploit is available, making this vulnerability easily exploitable by any authenticated local user to completely compromise the system.

Privilege Escalation Authentication Bypass Wowza Streaming Engine
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

ZKTeco ZKBioSecurity 3.0 contains a local file path manipulation vulnerability (CWE-276) that allows unauthenticated attackers to bypass access controls and read arbitrary files including configuration files, source code, and application resources. A publicly available proof-of-concept exists, and the vulnerability has moderate real-world risk due to its local attack vector requirement but high confidentiality impact on sensitive biometric system data.

Privilege Escalation Zkteco Zkbiosecurity
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Privilege escalation vulnerability in ZKTeco ZKAccess Professional 3.5.3 (Build 0005) where authenticated users can modify executable files due to insecure permissions, allowing them to replace binaries with malicious code and gain elevated privileges. Multiple public exploits are available (exploit-db, PacketStorm) making this a high-risk vulnerability for organizations using this access control software, despite no current KEV listing or EPSS data.

Privilege Escalation Path Traversal Information Disclosure +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Critical insecure file permissions vulnerability in ZKTeco ZKTime.Net 3.0.1.6 that allows unprivileged local users to gain elevated privileges by replacing executable files in the world-writable application directory. Multiple public proof-of-concept exploits are available on Exploit-DB and PacketStorm, making this vulnerability easily exploitable despite requiring local access. While not listed in CISA KEV and lacking current EPSS data, the availability of working exploits and the simplicity of the attack make this a significant risk for organizations using this time and attendance software.

Privilege Escalation Zkteco Zktime Net
NVD Exploit-DB VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

A validation bypass in the chunked file upload completion logic for file requests allows attackers to circumvent per-request file size limits by splitting oversized files into smaller chunks that individually pass validation. Attackers with access to a public file request link can sequentially upload chunks to exceed the administrator-configured MaxSize limit, uploading files up to the server's global MaxFileSizeMB threshold. This enables unauthorized storage consumption and potential service disruption through storage exhaustion, though no data exposure or privilege escalation occurs; the vulnerability carries a CVSS score of 4.3 with EPSS and KEV status not currently indicated as critical, suggesting limited real-world exploitation pressure despite straightforward attack mechanics.

Information Disclosure Privilege Escalation Suse
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A broken access control vulnerability in JetBrains Datalore allows authenticated users to escalate privileges horizontally, accessing resources of other users at the same permission level. The vulnerability affects Datalore versions prior to 2026.1 but only impacts specific configurations. With a CVSS score of 8.8 and high EPSS score of 0.36942, this represents a significant risk, though no active exploitation or proof-of-concept code has been reported publicly.

Privilege Escalation Authentication Bypass Id Server
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Medium severity vulnerability in systemd. A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the a...

Privilege Escalation Red Hat Fuse 7
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Medium severity vulnerability in systemd. A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd f...

Privilege Escalation Red Hat Openshift Data Foundation 4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Local privilege escalation in Veeam Backup & Replication on Windows enables authenticated users to gain system-level access without user interaction. An attacker with local account credentials can exploit this vulnerability to achieve complete control over the backup infrastructure, including reading, modifying, or deleting backups. No patch is currently available for this high-severity issue affecting backup administrators and organizations relying on Veeam for data protection.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0%
Monitor

An Insufficient Integrity Verification vulnerability in the ASUS ROG peripheral driver installation process allows privilege escalation to SYSTEM. The vulnerability is due to improper access control on the installation directory, which enables the exploitation of a race condition where the legitimate installer is substituted with an unexpected payload immediately after download, resulting in arbitrary code execution. Refer to the "Security Update for ASUS ROG peripheral driver" section on the...

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

## Summary The REST API `createUser` endpoint uses string-based rank checks that only block creating `owner` accounts, while the Dashboard API uses `indexOf`-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. ## Details The REST API handler in `packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts:1365-1378`: ```typescript // REST API - only blocks creating 'owner' if (newUserRank === 'owner' && rank !== 'owner') { return yield* new RestAPIError({ error: 'Unauthorized to create user with owner rank', }); } if (rank === 'admin' && newUserRank === 'owner') { return yield* new RestAPIError({ error: 'Unauthorized to create user with owner rank', }); } // Missing: no check preventing admin from creating admin // newUserRank='admin' passes all checks ``` The Dashboard API handler in `_handlers/dashboard/create.ts` uses the correct approach: ```typescript // Dashboard API - blocks creating users at or above own rank const callerPerm = availablePermissionRanks.indexOf(userData.permissionLevel); const targetPerm = availablePermissionRanks.indexOf(rank); if (targetPerm >= callerPerm) { return yield* new DashboardAPIError({ error: 'Unauthorized: insufficient permissions to assign target rank', }); } ``` With `availablePermissionRanks = ['unknown', 'visitor', 'editor', 'admin', 'owner']`: - Admin (index 3) creating admin (index 3): `3 >= 3` = blocked in Dashboard - In REST API: no such check - allowed ## PoC ```bash # 1. Use an admin-level API token # 2. Create a new admin user via REST API curl -X POST 'http://localhost:4321/studiocms_api/rest/v1/secure/users' \ -H 'Authorization: Bearer <admin-api-token>' \ -H 'Content-Type: application/json' \ -d '{ "username": "rogue_admin", "email": "rogue@attacker.com", "displayname": "Rogue Admin", "rank": "admin", "password": "StrongP@ssw0rd123" }' # Expected: 403 Forbidden (admin should not create peer admin accounts) # Actual: 200 with new admin user created ``` ## Impact - A compromised or rogue admin can create additional admin accounts as persistence mechanisms that survive password resets or token revocations - Inconsistent security model between Dashboard API and REST API creates confusion about intended authorization boundaries - Note: requires admin access (PR:H), which limits practical severity ## Recommended Fix Replace string-based checks with `indexOf` comparison in `packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts`: ```typescript // Before: if (newUserRank === 'owner' && rank !== 'owner') { ... } if (rank === 'admin' && newUserRank === 'owner') { ... } // After: const availablePermissionRanks = ['unknown', 'visitor', 'editor', 'admin', 'owner']; const callerPerm = availablePermissionRanks.indexOf(rank); const targetPerm = availablePermissionRanks.indexOf(newUserRank); if (targetPerm >= callerPerm) { return yield* new RestAPIError({ error: 'Unauthorized: insufficient permissions to assign target rank', }); } ```

Privilege Escalation Studiocms
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Lenovo PC Manager permits local authenticated users to terminate privileged processes due to improper privilege management, potentially disrupting system operations or enabling denial of service. An attacker with valid credentials could leverage this vulnerability to halt critical processes without administrative approval. No patch is currently available to address this issue.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation in Himmelblau prior to versions 3.1.0 and 2.3.8 allows authenticated local users to exploit insecure Kerberos cache file handling in the root-running himmelblaud-tasks daemon through symlink attacks. The vulnerability stems from the removal of PrivateTmp protections, exposing /tmp operations to symlink-based file overwrite and ownership manipulation attacks. An attacker with local access can leverage this flaw to achieve arbitrary file modification and full system compromise.

Privilege Escalation Microsoft Himmelblau +1
NVD GitHub VulDB
EPSS 0% CVSS 6.7
MEDIUM This Month

Dell Alienware Command Center versions before 6.12.24.0 suffer from improper privilege management that allows local attackers with low privileges to escalate their access on affected systems. An attacker with physical or local system access combined with user interaction could gain elevated privileges, potentially compromising system integrity and confidentiality. No patch is currently available for this vulnerability.

Privilege Escalation Dell
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.

Privilege Escalation RCE Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Cisco IOS XR Software contains a task group mapping flaw in a specific CLI command that allows authenticated local attackers to bypass privilege checks and gain full administrative access to affected devices. An attacker with low-privileged credentials can exploit this misconfiguration to execute unauthorized administrative actions without proper authorization validation. No patch is currently available.

Cisco Apple Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. [CVSS 8.8 HIGH]

Microsoft Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Execution with unnecessary privileges in Forcepoint NGFW Engine allows local privilege escalation.This issue affects NGFW Engine versions up to 6.10.19 is affected by execution with unnecessary privileges.

Privilege Escalation Next Generation Firewall
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

File path control in Zoom Workplace for Windows Mail feature before 6.6.0.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Zoom Client for Windows contains a privilege escalation vulnerability that allows authenticated local users to gain elevated system privileges through improper access controls. An attacker with valid credentials can exploit this weakness to execute arbitrary code or access sensitive system resources without administrative approval. No patch is currently available for this issue.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Improper Input Validation in Zoom Room versions up to 6.6.5 is affected by improper input validation (CVSS 7.0).

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Zoom's Windows client fails to properly validate minimum version requirements during updates, enabling authenticated local users to escalate their privileges on affected systems. An attacker with local access and valid credentials could exploit this validation bypass to gain elevated permissions. No patch is currently available for this vulnerability.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in ExactMetrics WordPress plugin versions 7.1.0-9.0.2 allows authenticated users with the `exactmetrics_save_settings` capability to modify any plugin configuration without restrictions, potentially escalating themselves to administrative access. An attacker could exploit the missing input validation in the `update_settings()` function to grant plugin permissions to arbitrary user roles, including subscribers, effectively bypassing intended access controls. No patch is currently available for this vulnerability.

WordPress Privilege Escalation Google
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated REST endpoint in Datalogics Ecommerce Delivery WordPress plugin before 2.6.60.

WordPress Privilege Escalation
NVD WPScan
EPSS 0%
Monitor

Improper input validation in some UEFI firmware SMM module for the Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution.

Privilege Escalation
NVD VulDB
EPSS 0%
Monitor

Improper input validation in the UEFI firmware for some Intel Reference Platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable data manipulation.

Privilege Escalation
NVD VulDB
EPSS 0%
Monitor

Improper input validation in the UEFI ImcErrorHandler module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege.

Privilege Escalation
NVD VulDB
EPSS 0%
Monitor

Improper input validation in the UEFI FlashUcAcmSmm module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable local code execution.

Privilege Escalation
NVD VulDB
EPSS 0%
Monitor

Time-of-check time-of-use race condition in the WheaERST SMM module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege.

Privilege Escalation Race Condition
NVD VulDB
EPSS 0%
Monitor

Improper input validation in the UEFI WheaERST module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege.

Privilege Escalation
NVD VulDB
EPSS 0%
This Week

Improper buffer restrictions in some UEFI firmware for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable data manipulation.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Umbraco CMS versions 15.3.1 through 16.5.0 and 17.x before 17.2.2 allows authenticated backoffice users with user management permissions to assign themselves elevated privileges by bypassing authorization checks on role assignments. An attacker with these permissions could gain administrative access to the CMS without proper privilege validation. No patch is currently available for affected installations.

Privilege Escalation Umbraco Cms
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.

Node.js DNS LDAP +2
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android results from an out-of-bounds write vulnerability caused by insufficient bounds validation. A local attacker with limited privileges can exploit this flaw without user interaction to gain elevated system permissions. No patch is currently available.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Uncontrolled buffer writes in Android's EfwApTransport component allow local attackers to achieve privilege escalation without requiring user interaction or special permissions. The vulnerability stems from insufficient bounds checking in the ProcessRxRing function, enabling an attacker with local access to corrupt kernel memory and gain elevated privileges.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

An out-of-bounds write vulnerability in Android's USIM registration component allows an attacker with physical access to escalate privileges without requiring additional permissions or user interaction. The memory corruption flaw in usim_SendMCCMNCIndMsg could enable complete compromise of affected devices. No patch is currently available for this vulnerability.

Memory Corruption Privilege Escalation Android +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Oobconfig on Android contains a logic error that allows local attackers to circumvent carrier restrictions and escalate privileges without requiring additional execution capabilities or user interaction. This vulnerability enables unauthorized privilege elevation on affected devices through a straightforward exploitation path. No patch is currently available to remediate this issue.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Android's Media Framework Codec (MFC) decoder results from an out-of-bounds write vulnerability in the mfc_dec_dqbuf function due to inadequate bounds validation. An attacker with local access can exploit this defect without special privileges or user interaction to gain elevated system permissions. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Modem has a third OOB write in cell broadcast utilities.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.

Use After Free Privilege Escalation Race Condition +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Modem OOB write in cell broadcast utilities enabling privilege escalation.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Samsung/Qualcomm modem has an out-of-bounds write in NR SM message handling enabling privilege escalation through crafted cellular signaling.

Memory Corruption Privilege Escalation Android +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Android versions up to - contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Android DeviceId component has a CVSS 10.0 out-of-bounds write in persistence handling enabling device compromise.

Privilege Escalation Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33.

Microsoft Privilege Escalation
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.

Authentication Bypass Privilege Escalation Information Disclosure +2
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in StudioCMS versions prior to 0.4.0 enables authenticated Editor-level users to generate API tokens for arbitrary accounts, including administrative and owner roles, due to missing authorization validation on the /studiocms_api/dashboard/api-tokens endpoint. An attacker with basic editor privileges can exploit this to gain full administrative access without requiring the target account's credentials. No patch is currently available for affected installations.

Privilege Escalation Authentication Bypass Studiocms
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

Privilege Escalation Red Hat
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

following vulnerability in Fortinet FortiClientLinux 7.4.0 versions up to 7.4.4 contains a vulnerability that allows attackers to a local and unprivileged user to escalate their privileges to root (CVSS 7.8).

Fortinet Privilege Escalation Forticlient
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, Fort...

Fortinet Privilege Escalation
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Kubewarden's deprecated host-callback APIs in AdmissionPolicy can be exploited by authenticated users with policy creation permissions to gain unauthorized read access to cluster-level resources including Ingresses, Namespaces, and Services. An attacker with privileged AdmissionPolicy creation permissions—not a default privilege—could craft malicious policies to bypass intended access controls and enumerate sensitive cluster infrastructure, though this vulnerability is limited to read-only access without write capability or access to Secrets and ConfigMaps. The vulnerability affects Kubernetes deployments using Kubewarden and currently has no available patch.

Kubernetes Privilege Escalation Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Improper file permission settings in multiple i-フィルター products allow local non-administrative users to create or overwrite critical files in system and backup directories. This vulnerability enables an attacker with local access to manipulate system integrity and potentially disrupt operations, though code execution is not directly possible. No patch is currently available for this vulnerability.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

SiYuan Note prior to version 3.5.10 contains an insufficient authorization flaw in the /api/block/appendHeadingChildren endpoint that allows authenticated users with read-only (RoleReader) privileges to modify notebook content by appending blocks to documents. The vulnerability exists because the endpoint applies only basic authentication checks instead of enforcing stricter administrative or read-only restrictions. Affected users should upgrade to version 3.5.10 or later, as no workaround is currently available and exploitation requires only network access and valid read-only credentials.

Privilege Escalation Authentication Bypass Siyuan +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escalate privileges and perform unauthorized actions reserved for Tenant Admins and Owners. An authenticated attacker with Creator permissions can promote themselves to Tenant Admin, demote existing administrators, modify owner accounts, and manipulate organizational orders, resulting in complete tenant compromise. No patch is currently available for this high-severity vulnerability.

Privilege Escalation Authentication Bypass Budibase
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. [CVSS 7.5 HIGH]

Buffer Overflow Privilege Escalation Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. [CVSS 7.5 HIGH]

Privilege Escalation Microsoft Freebsd
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. [CVSS 8.8 HIGH]

Privilege Escalation Freebsd
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo. [CVSS 7.8 HIGH]

SSH Privilege Escalation Universal Bacnet Router Firmware
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution with administrative privileges in Qsee Client 1.0.1 and earlier through insecure DLL loading in the installer. An attacker can exploit this by placing a malicious DLL in the same directory as the installer and tricking a user into executing it. No patch is currently available.

Privilege Escalation RCE Qsee Client
NVD VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.

TLS Privilege Escalation Caddy +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

The Paid Videochat Turnkey Site - HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an a...

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users to execute shell commands beyond their assigned permissions. The vulnerability stems from improper request context handling that causes the system to fall back to guest user privileges, which may have broader access than the authenticated caller. Public exploit code exists for this medium-severity flaw that enables privilege escalation and unauthorized command execution.

Privilege Escalation Olivetin Suse
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform via unprotected OCPP WebSocket endpoints. By connecting with a known or discovered station identifier, attackers gain full control to issue OCPP commands as legitimate chargers, manipulate charging session data, escalate privileges within the charging network infrastructure, and corrupt backend telemetry. CISA ICS-CERT reports this vulnerability affecting critical EV charging infrastructure. Despite 9.3 CVSS score indicating critical severity, EPSS score of 0.09% (25th percentile) suggests exploitation requires specialized knowledge of OCPP protocol and charging network architecture rather than mass automated scanning.

Privilege Escalation Authentication Bypass Api Everon Io
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

WebSocket auth bypass — same industrial platform family.

Privilege Escalation Authentication Bypass E Mobility
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 5.4 MEDIUM]

Privilege Escalation Gokapi Suse
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Acronis Cyber Protect and Cloud Agent on macOS before specific builds contain an insecure Unix socket permissions vulnerability that allows local authenticated users to escalate privileges and gain complete system control. An attacker with local access can exploit this misconfiguration to read sensitive data, modify system files, and execute arbitrary commands with elevated rights. No patch is currently available for this HIGH severity vulnerability.

Privilege Escalation Apple
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Improper symbolic link handling in Acronis Cyber Protect 17 for Windows (before build 41186) enables local attackers with limited privileges to escalate to system-level access through a race condition. An authenticated user can exploit this vulnerability to gain full control over the affected system, including reading sensitive data and modifying system configurations. No patch is currently available for this high-severity flaw.

Windows Privilege Escalation Cyber Protect
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Acronis Cyber Protect 17 for Windows before build 41186 allows local attackers with standard user privileges to escalate to system-level access through improper handling of symbolic links. An authenticated attacker can exploit this vulnerability to gain full control over the affected system, including the ability to read, modify, or delete sensitive data and execute arbitrary code. No patch is currently available for this vulnerability.

Windows Privilege Escalation Cyber Protect
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Improper directory permissions in Acronis Cyber Protect 17 for Windows (before build 41186) allow local authenticated users to escalate privileges through a user-interaction-dependent attack vector. An attacker with local access could modify files or settings to gain elevated system permissions. No patch is currently available for this vulnerability.

Windows Privilege Escalation Cyber Protect
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Acronis Cyber Protect 17 for Windows before build 41186 is vulnerable to local privilege escalation through DLL hijacking, allowing authenticated attackers to escalate privileges on affected systems. An attacker with local access and low privileges can exploit this vulnerability to gain higher-level permissions without user interaction. No patch is currently available for this vulnerability.

Windows Privilege Escalation Cyber Protect
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Acronis Cyber Protect 17 before build 41186 on Windows is vulnerable to local privilege escalation through DLL hijacking, allowing authenticated users to gain elevated system privileges. An attacker with local access and low privileges can exploit this weakness to execute code with higher permissions. No patch is currently available for this issue.

Windows Privilege Escalation Cyber Protect
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated remote attackers can impersonate electric vehicle charging stations in ePower.ie by connecting to exposed OCPP WebSocket endpoints without credentials. Using any known or guessed charging station identifier, attackers gain full control to issue fraudulent charging commands, manipulate billing data, and corrupt network telemetry sent to backend systems. CISA ICS-CERT published an advisory (ICSA-26-062-07) indicating industrial control system exposure. EPSS score of 0.12% (31st percentile) suggests low automated exploitation probability despite 9.3 CVSS, though the authentication bypass affects critical electric vehicle charging infrastructure.

Privilege Escalation Authentication Bypass Epower Ie
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 41124. [CVSS 7.3 HIGH]

Privilege Escalation Agent Windows
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary command execution in OpenClaw prior to version 2026.2.14 stems from improper PATH validation during node-host execution and project bootstrapping, allowing authenticated attackers or those with local filesystem access to substitute malicious binaries for legitimate commands. An attacker can exploit this to bypass allowlisted command restrictions and achieve code execution with the privileges of the OpenClaw process. A patch is available for versions 2026.2.14 and later.

Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OpenClaw versions before 2026.2.14 allow unauthenticated attackers to execute privileged slash commands via direct message when the dmPolicy setting is configured to open, bypassing security controls like allowlists and access groups. This privilege escalation stems from improper authorization checks in the Slack slash-command handler that fails to validate direct message senders. A patch is available for affected users.

Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.

Privilege Escalation Authentication Bypass Hexpm
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in D-Link DIR-1253 MESH V1.6.1684 via etc/shadow.sample.

D-Link Privilege Escalation
NVD GitHub
EPSS 0%
This Week

Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privile...

Linux Ubuntu Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Cognix Platform v3.0 permits authenticated users to bypass authorization controls and assume higher-privileged roles through specially crafted requests. This vulnerability affects all users with valid credentials and could allow attackers to gain unauthorized administrative access. No patch is currently available.

Privilege Escalation Cognix Platform
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64.sys kernel driver (version 1.2.0.0) in the IOCTL handler for code 0x80102058. [CVSS 7.8 HIGH]

Linux Buffer Overflow Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

CSRF Privilege Escalation Authentication Bypass +6
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Internet Security contains a vulnerability that allows attackers to deletion of protected files or directories and can lead to local privilege escal (CVSS 7.8).

Denial Of Service Privilege Escalation Internet Security
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Avira Internet Security's Software Updater fails to validate symbolic links when deleting files during updates, allowing a local attacker to redirect SYSTEM-level file deletion operations to arbitrary targets. An authenticated local user can exploit this improper link resolution to delete critical system files, potentially achieving privilege escalation, denial of service, or compromising system integrity. No patch is currently available.

Denial Of Service Privilege Escalation Internet Security
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Vulnerability of improper verification in the email application. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 7.1 HIGH]

Privilege Escalation Emui Harmonyos
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

Harmonyos versions up to 5.1.0 is affected by permissions, privileges, and access controls (CVSS 4.0).

Privilege Escalation Harmonyos
NVD
Prev Page 13 of 148 Next

Quick Facts

Typical Severity
HIGH
Category
auth
Total CVEs
13302

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy