Privilege Escalation

The CustomizeUser plugin in PHP and Python allows attackers to bypass channel-level access control by exploiting improper password validation in the setPassword.json.php endpoint. An administrator-level attacker can set any user's channel password to zero due to type coercion of non-numeric characters, enabling trivial authentication bypass for any visitor. No patch is currently available for this critical vulnerability.

A critical validation bypass vulnerability in the ormar Python ORM library allows attackers to completely skip all Pydantic field validation by injecting a special '__pk_only__' parameter in JSON request bodies. This affects all applications using ormar's canonical FastAPI integration pattern (where ormar models are used directly as request body parameters), enabling attackers to persist invalid data, bypass security constraints, and potentially escalate privileges. A working proof-of-concept demonstrates the vulnerability is trivially exploitable, and with a CVSS score of 7.1, it poses significant risk to affected applications.

UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.

The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.

The Download Manager plugin for WordPress contains a missing capability check in the 'reviewUserStatus' function that allows authenticated subscribers and above to access sensitive user information without proper authorization. Affected versions include all releases up to and including 3.3.49, enabling attackers with minimal privileges to retrieve email addresses, display names, and registration dates for any user on the site. While the CVSS score of 4.3 is moderate and the vulnerability requires authentication, the ease of exploitation and the breadth of exposed personal data present a meaningful information disclosure risk for WordPress installations using this plugin.

An incorrect privilege assignment vulnerability exists in the WooCommerce Wholesale Lead Capture plugin for WordPress, allowing unauthenticated attackers to escalate privileges on affected sites. All versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. are vulnerable. With a CVSS score of 9.8 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe security risk for WordPress sites using this plugin.

Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to decrypt, modify, and re-encrypt...

The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.

This vulnerability in the Linux kernel's AppArmor security module allows an unprivileged local user to perform privileged policy management operations through a confused deputy attack. An attacker can load, replace, and remove AppArmor security profiles by passing an opened file descriptor to a privileged process and manipulating it into writing to the AppArmor policy management interface, bypassing normal access controls. This enables complete circumvention of AppArmor confinement, denial of service attacks, bypass of unprivileged user namespace restrictions, and potential kernel exploitation for local privilege escalation. The vulnerability is not currently listed in the CISA KEV catalog and no CVSS score or EPSS data is available, but the technical severity is high given the policy management implications and the involvement of privilege escalation vectors.

This vulnerability is a missing exception fixup handler in the LoongArch architecture's BPF JIT compiler that fails to properly recover from memory access exceptions (ADEM) triggered by BPF_PROBE_MEM* instructions. The Linux kernel on LoongArch systems (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is affected, potentially allowing information disclosure or denial of service when BPF programs attempt to safely probe memory locations. This is not actively exploited (no KEV status), but patches are available across multiple stable kernel branches.

Arturia Software Center on macOS installs plugin uninstall scripts with world-writable permissions (777) in root-owned directories, allowing local attackers to modify these scripts and achieve privilege escalation when the Privileged Helper executes them during plugin removal. This vulnerability affects any macOS user with the Arturia Software Center installed and requires local access and user interaction to exploit. No patch is currently available.

The KiviCare clinic management plugin for WordPress contains a critical privilege escalation vulnerability allowing unauthenticated attackers to create new clinics and administrative users through an unprotected REST API endpoint. All versions up to and including 4.1.2 are affected. With a CVSS score of 8.2 and network-based exploitation requiring no authentication, this represents a significant risk to healthcare data confidentiality and system integrity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.

The Arturia Software Center on macOS contains insufficient code signature validation in its Privileged Helper component, allowing unauthenticated clients to connect and execute privileged actions without proper authorization. This vulnerability affects all versions of Arturia Software Center and enables local privilege escalation attacks where an unprivileged user can escalate to root or system-level privileges. While no CVSS score or EPSS data is publicly available, the authentication bypass nature and privilege escalation impact classify this as a high-severity issue; no KEV listing or public proof-of-concept has been confirmed at this time.

This vulnerability in Dahua NVR/XVR devices allows unauthenticated privilege escalation through the serial port console by bypassing shell authentication mechanisms. Affected devices include Dahua NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T models with build dates prior to March 3, 2026. An attacker with physical access to the device can gain a restricted shell and escalate privileges to access sensitive system functions, though the CVSS 2.4 score reflects the requirement for physical proximity and lack of data availability impact.

MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user management Add To Group functionality that allows attackers to escalate privileges by adding authenticated users to arbitrary groups without proper authorization validation. An authenticated administrator visiting a malicious webpage can be tricked into adding any user to the Admin group or other privileged groups, though escalation to the Super Admin (s2) group is blocked. This vulnerability enables both horizontal privilege escalation across different user groups and vertical privilege escalation to administrative roles, posing a significant risk to multi-user MuraCMS installations where administrator accounts are targeted.

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.

Local privilege escalation in snapd on multiple Ubuntu versions allows authenticated local attackers to obtain root access by exploiting a race condition between snap's temporary directory creation and systemd-tmpfiles cleanup operations. An attacker with local access can manipulate the /tmp directory to escalate privileges when snapd attempts to recreate its private snap directories. This vulnerability affects Ubuntu 16.04 LTS through 24.04 LTS with no patch currently available.

A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.

Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. No patch is currently available.

Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.

Improper access controls in D-Link NAS devices (DNS-120, DNS-323, DNS-345, DNS-1200-05, and others through firmware version 20260205) allow unauthenticated remote attackers to manipulate the cgi_set_wto function in /cgi-bin/system_mgr.cgi, potentially gaining unauthorized access or modifying system settings. Public exploit code exists for this vulnerability, and no patch is currently available.

LAPSWebUI before version 2.4 by Truesec improperly caches LAPS (Local Administrator Password Solution) passwords in browser storage, allowing a local attacker with user-level access to retrieve plaintext or weakly protected admin credentials from the browser cache. An attacker who gains access to a workstation where an administrator has used LAPSWebUI can escalate privileges to local administrator by exploiting this caching behavior. While the CVSS score is moderate at 6.0, the practical impact is high because successful exploitation directly enables privilege escalation to administrative access.

LAPSWebUI before version 2.4 contains a non-functional logout mechanism that allows an authenticated local attacker to obtain elevated privileges through disclosure of cached local administrator passwords. An attacker with existing workstation access and low privileges can exploit this flaw to escalate to local admin by recovering credentials that should have been cleared upon session termination. The vulnerability carries a CVSS v4.0 score of 6.0 (Medium) with local attack vector and requires prior login plus user interaction, though the confidentiality impact on sensitive credentials is marked as high.

Insufficient Session Expiration in Truesec's LAPSWebUI before version 2.4 allows local attackers with user-level privileges to obtain local administrator passwords through inadequate session management controls. An attacker with physical or logical access to a workstation can exploit this vulnerability to escalate privileges and disclose sensitive credentials, potentially compromising domain administration. This vulnerability represents a practical privilege escalation risk in environments relying on LAPS (Local Administrator Password Solution) for credential management.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.

A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe).

Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions.

A privilege escalation vulnerability in Wowza Streaming Engine 4.5.0 allows authenticated read-only users to elevate their privileges to administrator level by manipulating POST parameters (accessLevel='admin', advUser='true'/'on') sent to the user edit endpoint. A public exploit is available on exploit-db, though the vulnerability has not been added to CISA's KEV catalog, suggesting limited real-world exploitation despite the high CVSS score of 8.8.

Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability where authenticated users can gain SYSTEM-level access by replacing service executables due to overly permissive file permissions that grant the Everyone group full control. A public proof-of-concept exploit is available, making this vulnerability easily exploitable by any authenticated local user to completely compromise the system.

ZKTeco ZKBioSecurity 3.0 contains a local file path manipulation vulnerability (CWE-276) that allows unauthenticated attackers to bypass access controls and read arbitrary files including configuration files, source code, and application resources. A publicly available proof-of-concept exists, and the vulnerability has moderate real-world risk due to its local attack vector requirement but high confidentiality impact on sensitive biometric system data.

Privilege escalation vulnerability in ZKTeco ZKAccess Professional 3.5.3 (Build 0005) where authenticated users can modify executable files due to insecure permissions, allowing them to replace binaries with malicious code and gain elevated privileges. Multiple public exploits are available (exploit-db, PacketStorm) making this a high-risk vulnerability for organizations using this access control software, despite no current KEV listing or EPSS data.

Critical insecure file permissions vulnerability in ZKTeco ZKTime.Net 3.0.1.6 that allows unprivileged local users to gain elevated privileges by replacing executable files in the world-writable application directory. Multiple public proof-of-concept exploits are available on Exploit-DB and PacketStorm, making this vulnerability easily exploitable despite requiring local access. While not listed in CISA KEV and lacking current EPSS data, the availability of working exploits and the simplicity of the attack make this a significant risk for organizations using this time and attendance software.

A validation bypass in the chunked file upload completion logic for file requests allows attackers to circumvent per-request file size limits by splitting oversized files into smaller chunks that individually pass validation. Attackers with access to a public file request link can sequentially upload chunks to exceed the administrator-configured MaxSize limit, uploading files up to the server's global MaxFileSizeMB threshold. This enables unauthorized storage consumption and potential service disruption through storage exhaustion, though no data exposure or privilege escalation occurs; the vulnerability carries a CVSS score of 4.3 with EPSS and KEV status not currently indicated as critical, suggesting limited real-world exploitation pressure despite straightforward attack mechanics.

A broken access control vulnerability in JetBrains Datalore allows authenticated users to escalate privileges horizontally, accessing resources of other users at the same permission level. The vulnerability affects Datalore versions prior to 2026.1 but only impacts specific configurations. With a CVSS score of 8.8 and high EPSS score of 0.36942, this represents a significant risk, though no active exploitation or proof-of-concept code has been reported publicly.

Medium severity vulnerability in systemd. A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the a...

Medium severity vulnerability in systemd. A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd f...

Local privilege escalation in Veeam Backup & Replication on Windows enables authenticated users to gain system-level access without user interaction. An attacker with local account credentials can exploit this vulnerability to achieve complete control over the backup infrastructure, including reading, modifying, or deleting backups. No patch is currently available for this high-severity issue affecting backup administrators and organizations relying on Veeam for data protection.

An Insufficient Integrity Verification vulnerability in the ASUS ROG peripheral driver installation process allows privilege escalation to SYSTEM. The vulnerability is due to improper access control on the installation directory, which enables the exploitation of a race condition where the legitimate installer is substituted with an unexpected payload immediately after download, resulting in arbitrary code execution. Refer to the "Security Update for ASUS ROG peripheral driver" section on the...

The REST API `createUser` endpoint uses string-based rank checks that only block creating `owner` accounts, while the Dashboard API uses `indexOf`-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. The REST API handler in `packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts:1365-1378`: ```typescript // REST API - only blocks creating 'owner' if (newUserRank === 'owner' && rank !== 'owner') { return yield* new RestAPIError({ error: 'Unauthorized to create user with owner rank', }); } if (rank === 'admin' && newUserRank === 'owner') { return yield* new RestAPIError({ error: 'Unauthorized to create user with owner rank', }); } // Missing: no check preventing admin from creating admin // newUserRank='admin' passes all checks ``` The Dashboard API handler in `_handlers/dashboard/create.ts` uses the correct approach: ```typescript // Dashboard API - blocks creating users at or above own rank const callerPerm = availablePermissionRanks.indexOf(userData.permissionLevel); const targetPerm = availablePermissionRanks.indexOf(rank); if (targetPerm >= callerPerm) { return yield* new DashboardAPIError({ error: 'Unauthorized: insufficient permissions to assign target rank', }); } ``` With `availablePermissionRanks = ['unknown', 'visitor', 'editor', 'admin', 'owner']`: - Admin (index 3) creating admin (index 3): `3 >= 3` = blocked in Dashboard - In REST API: no such check - allowed ```bash curl -X POST 'http://localhost:4321/studiocms_api/rest/v1/secure/users' \ -H 'Authorization: Bearer <admin-api-token>' \ -H 'Content-Type: application/json' \ -d '{ "username": "rogue_admin", "email": "[email protected]", "displayname": "Rogue Admin", "rank": "admin", "password": "StrongP@ssw0rd123" }' ``` - A compromised or rogue admin can create additional admin accounts as persistence mechanisms that survive password resets or token revocations - Inconsistent security model between Dashboard API and REST API creates confusion about intended authorization boundaries - Note: requires admin access (PR:H), which limits practical severity Replace string-based checks with `indexOf` comparison in `packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts`: ```typescript // Before: if (newUserRank === 'owner' && rank !== 'owner') { ... } if (rank === 'admin' && newUserRank === 'owner') { ... } // After: const availablePermissionRanks = ['unknown', 'visitor', 'editor', 'admin', 'owner']; const callerPerm = availablePermissionRanks.indexOf(rank); const targetPerm = availablePermissionRanks.indexOf(newUserRank); if (targetPerm >= callerPerm) { return yield* new RestAPIError({ error: 'Unauthorized: insufficient permissions to assign target rank', }); } ```

Lenovo PC Manager permits local authenticated users to terminate privileged processes due to improper privilege management, potentially disrupting system operations or enabling denial of service. An attacker with valid credentials could leverage this vulnerability to halt critical processes without administrative approval. No patch is currently available to address this issue.

Local privilege escalation in Himmelblau prior to versions 3.1.0 and 2.3.8 allows authenticated local users to exploit insecure Kerberos cache file handling in the root-running himmelblaud-tasks daemon through symlink attacks. The vulnerability stems from the removal of PrivateTmp protections, exposing /tmp operations to symlink-based file overwrite and ownership manipulation attacks. An attacker with local access can leverage this flaw to achieve arbitrary file modification and full system compromise.

Dell Alienware Command Center versions before 6.12.24.0 suffer from improper privilege management that allows local attackers with low privileges to escalate their access on affected systems. An attacker with physical or local system access combined with user interaction could gain elevated privileges, potentially compromising system integrity and confidentiality. No patch is currently available for this vulnerability.

Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.

In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. [CVSS 8.8 HIGH]

Execution with unnecessary privileges in Forcepoint NGFW Engine allows local privilege escalation.This issue affects NGFW Engine versions up to 6.10.19 is affected by execution with unnecessary privileges.

File path control in Zoom Workplace for Windows Mail feature before 6.6.0.

Zoom Client for Windows contains a privilege escalation vulnerability that allows authenticated local users to gain elevated system privileges through improper access controls. An attacker with valid credentials can exploit this weakness to execute arbitrary code or access sensitive system resources without administrative approval. No patch is currently available for this issue.

Improper Input Validation in Zoom Room versions up to 6.6.5 is affected by improper input validation (CVSS 7.0).

Zoom's Windows client fails to properly validate minimum version requirements during updates, enabling authenticated local users to escalate their privileges on affected systems. An attacker with local access and valid credentials could exploit this validation bypass to gain elevated permissions. No patch is currently available for this vulnerability.

Improper input validation in some UEFI firmware SMM module for the Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution.

Improper input validation in the UEFI firmware for some Intel Reference Platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable data manipulation.

Improper input validation in the UEFI ImcErrorHandler module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege.

Improper input validation in the UEFI FlashUcAcmSmm module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable local code execution.

Time-of-check time-of-use race condition in the WheaERST SMM module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege.

Improper input validation in the UEFI WheaERST module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege.

Improper buffer restrictions in some UEFI firmware for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable data manipulation.

Privilege escalation in Umbraco CMS versions 15.3.1 through 16.5.0 and 17.x before 17.2.2 allows authenticated backoffice users with user management permissions to assign themselves elevated privileges by bypassing authorization checks on role assignments. An attacker with these permissions could gain administrative access to the CMS without proper privilege validation. No patch is currently available for affected installations.

Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.

Local privilege escalation in Android results from an out-of-bounds write vulnerability caused by insufficient bounds validation. A local attacker with limited privileges can exploit this flaw without user interaction to gain elevated system permissions. No patch is currently available.

Uncontrolled buffer writes in Android's EfwApTransport component allow local attackers to achieve privilege escalation without requiring user interaction or special permissions. The vulnerability stems from insufficient bounds checking in the ProcessRxRing function, enabling an attacker with local access to corrupt kernel memory and gain elevated privileges.

An out-of-bounds write vulnerability in Android's USIM registration component allows an attacker with physical access to escalate privileges without requiring additional permissions or user interaction. The memory corruption flaw in usim_SendMCCMNCIndMsg could enable complete compromise of affected devices. No patch is currently available for this vulnerability.

Oobconfig on Android contains a logic error that allows local attackers to circumvent carrier restrictions and escalate privileges without requiring additional execution capabilities or user interaction. This vulnerability enables unauthorized privilege elevation on affected devices through a straightforward exploitation path. No patch is currently available to remediate this issue.

Local privilege escalation in Android's Media Framework Codec (MFC) decoder results from an out-of-bounds write vulnerability in the mfc_dec_dqbuf function due to inadequate bounds validation. An attacker with local access can exploit this defect without special privileges or user interaction to gain elevated system permissions. No patch is currently available for this vulnerability.

Modem has a third OOB write in cell broadcast utilities.

Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.

Modem OOB write in cell broadcast utilities enabling privilege escalation.

Samsung/Qualcomm modem has an out-of-bounds write in NR SM message handling enabling privilege escalation through crafted cellular signaling.

Android versions up to - contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Android DeviceId component has a CVSS 10.0 out-of-bounds write in persistence handling enabling device compromise.

OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.

Privilege escalation in StudioCMS versions prior to 0.4.0 enables authenticated Editor-level users to generate API tokens for arbitrary accounts, including administrative and owner roles, due to missing authorization validation on the /studiocms_api/dashboard/api-tokens endpoint. An attacker with basic editor privileges can exploit this to gain full administrative access without requiring the target account's credentials. No patch is currently available for affected installations.

Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

following vulnerability in Fortinet FortiClientLinux 7.4.0 versions up to 7.4.4 contains a vulnerability that allows attackers to a local and unprivileged user to escalate their privileges to root (CVSS 7.8).

A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, Fort...

An unauthenticated remote attacker who tricks a user to upload a manipulated HTML file can get access to sensitive information on the device. This is a result of incorrect permission assignment for the web server. [CVSS 6.5 MEDIUM]

Kubewarden's deprecated host-callback APIs in AdmissionPolicy can be exploited by authenticated users with policy creation permissions to gain unauthorized read access to cluster-level resources including Ingresses, Namespaces, and Services. An attacker with privileged AdmissionPolicy creation permissions—not a default privilege—could craft malicious policies to bypass intended access controls and enumerate sensitive cluster infrastructure, though this vulnerability is limited to read-only access without write capability or access to Secrets and ConfigMaps. The vulnerability affects Kubernetes deployments using Kubewarden and currently has no available patch.

Improper file permission settings in multiple i-フィルター products allow local non-administrative users to create or overwrite critical files in system and backup directories. This vulnerability enables an attacker with local access to manipulate system integrity and potentially disrupt operations, though code execution is not directly possible. No patch is currently available for this vulnerability.

SiYuan Note prior to version 3.5.10 contains an insufficient authorization flaw in the /api/block/appendHeadingChildren endpoint that allows authenticated users with read-only (RoleReader) privileges to modify notebook content by appending blocks to documents. The vulnerability exists because the endpoint applies only basic authentication checks instead of enforcing stricter administrative or read-only restrictions. Affected users should upgrade to version 3.5.10 or later, as no workaround is currently available and exploitation requires only network access and valid read-only credentials.

Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escalate privileges and perform unauthorized actions reserved for Tenant Admins and Owners. An authenticated attacker with Creator permissions can promote themselves to Tenant Admin, demote existing administrators, modify owner accounts, and manipulate organizational orders, resulting in complete tenant compromise. No patch is currently available for this high-severity vulnerability.

The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. [CVSS 7.5 HIGH]

If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. [CVSS 7.5 HIGH]

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. [CVSS 8.8 HIGH]

A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo. [CVSS 7.8 HIGH]

Arbitrary code execution with administrative privileges in Qsee Client 1.0.1 and earlier through insecure DLL loading in the installer. An attacker can exploit this by placing a malicious DLL in the same directory as the installer and tricking a user into executing it. No patch is currently available.

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.

The Paid Videochat Turnkey Site - HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an a...

OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users to execute shell commands beyond their assigned permissions. The vulnerability stems from improper request context handling that causes the system to fall back to guest user privileges, which may have broader access than the authenticated caller. Public exploit code exists for this medium-severity flaw that enables privilege escalation and unauthorized command execution.

WebSocket auth bypass — same family.

WebSocket auth bypass — same industrial platform family.