Skip to main content

Privilege Escalation

auth HIGH

Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted.

How It Works

Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted. The attack exploits the gap between what the system thinks a user can do and what they actually can do through manipulation or exploitation.

Vertical escalation is the classic form—a regular user obtaining administrator rights. This happens through kernel exploits that bypass OS-level security, misconfigurations in role-based access control (RBAC) that fail to enforce boundaries, or direct manipulation of authorization tokens and session data. Horizontal escalation involves accessing resources belonging to users at the same privilege level, typically through insecure direct object references (IDOR) where changing an ID in a request grants access to another user's data.

Context-dependent escalation exploits workflow logic by skipping authorization checkpoints. An attacker might access administrative URLs directly without going through proper authentication flows, manipulate parameters to bypass permission checks, or exploit REST API endpoints that don't validate method permissions—like a read-only GET permission that can be leveraged for write operations through protocol upgrades or alternative endpoints.

Impact

  • Full system compromise through kernel-level exploits granting root or SYSTEM privileges
  • Administrative control over applications, allowing configuration changes, user management, and deployment of malicious code
  • Lateral movement across cloud infrastructure, containers, or network segments using escalated service account permissions
  • Data exfiltration by accessing databases, file systems, or API endpoints restricted to higher privilege levels
  • Persistence establishment through creation of backdoor accounts or modification of system configurations

Real-World Examples

Kubernetes clusters have been compromised through kubelet API misconfigurations where read-only GET permissions on worker nodes could be escalated to remote code execution. Attackers upgraded HTTP connections to WebSockets to access the /exec endpoint, gaining shell access to all pods on the node. This affected over 69 Helm charts including widely-deployed monitoring tools like Prometheus, Grafana, and Datadog agents.

Windows Print Spooler vulnerabilities (PrintNightmare class) allowed authenticated users to execute arbitrary code with SYSTEM privileges by exploiting improper privilege checks in the print service. Attackers loaded malicious DLLs through carefully crafted print jobs, escalating from low-privilege user accounts to full domain administrator access.

Cloud metadata services have been exploited where SSRF vulnerabilities combined with over-permissioned IAM roles allowed attackers to retrieve temporary credentials with elevated permissions, pivoting from compromised web applications to broader cloud infrastructure access.

Mitigation

  • Enforce deny-by-default access control where permissions must be explicitly granted rather than implicitly allowed
  • Implement consistent authorization checks at every layer—API gateway, application logic, and data access—never relying on client-side or single-point validation
  • Apply principle of least privilege with time-limited, scope-restricted permissions and just-in-time access for administrative functions
  • Audit permission inheritance and role assignments regularly to identify overly permissive configurations or privilege creep
  • Separate execution contexts using containers, sandboxes, or capability-based security to limit blast radius
  • Deploy runtime monitoring for unusual privilege usage patterns and anomalous access to restricted resources

Recent CVEs (13299)

EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users on the host to gain root-level capabilities by abusing a TOCTOU race in the privileged helper's XPC client validation. The com.slatedigital.connect.privileged.helper.tool2 service identifies callers by PID and then queries code-signing information, but PID reuse lets an attacker substitute a trusted process between check and use. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the technical pattern is well-known on macOS and a SEC Consult advisory describes the flaw in detail.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users to execute commands as root by connecting to the privileged XPC helper service with a self-signed certificate whose subject OU matches the expected value. The flaw stems from improper certificate validation (CWE-296) in the helper's client authorization logic, which fails to verify the certificate chains to a trusted code-signing authority. No public exploit is identified in CISA KEV at time of analysis, and EPSS reflects very low (0.01%) near-term exploitation probability, but a detailed vendor-lab advisory is publicly available.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in the Doctreat Core WordPress plugin (versions ≤ 1.6.8) allows remote attackers to register accounts directly as administrators by abusing insufficient role validation in the doctreat_process_registration() function. With a CVSS of 9.8 and trivial exploitability (AV:N/AC:L/PR:N/UI:N), full site takeover is possible without credentials, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV.

Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege escalation in the ansible.posix collection's authorized_key module allows an unprivileged local user to redirect root-owned file ownership changes to arbitrary system paths via symlink attacks in ~/.ssh. The module's keyfile() function calls os.chown() instead of os.lchown() and omits O_NOFOLLOW when opening files, so a pre-staged symlink is followed during privileged execution. No public exploit identified at time of analysis, but the technique is a well-understood TOCTOU/symlink class with a moderate-to-high CVSS (7.3).

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Omnissa Workspace ONE Assist for macOS allows an authenticated local user with low privileges to escalate to higher privileges through a path traversal weakness (CWE-22). The flaw carries a CVSS 7.8 (High) rating with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The vulnerability is tracked under Omnissa advisory OMSA-2026-0001 and is specific to the macOS build of the Assist remote-support agent.

Apple Path Traversal Privilege Escalation
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local privilege escalation in Waves Central for macOS (13.0.9 through 16.5.5) allows an unprivileged local user to gain root code execution by exploiting a time-of-check/time-of-use race in the privileged helper's XPC client validation. The helper trusts the connecting process's PID to verify code-signing identity, but PID reuse permits an attacker-controlled process to masquerade as a legitimate Waves client. SSVC reports a public proof-of-concept exists; the issue is not listed in CISA KEV.

Apple Privilege Escalation RCE
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Waves Central for macOS versions 13.0.9 through 16.5.5 allows an unprivileged user to gain root code execution by injecting a malicious dylib into a trusted XPC client process via DYLD_INSERT_LIBRARIES. The injected code then abuses the product's privileged helper service to perform operations as root. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), consistent with a local-only macOS desktop attack surface.

Apple RCE Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's net/sched act_ct traffic control action stems from a use-after-free in tcf_ct_flow_table_get(), where rhashtable_lookup_fast() releases the RCU read lock before refcount_inc_not_zero() can pin the returned ct_ft object. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but Trend Micro ZDI provided detailed root-cause analysis and stable-tree patches are merged across 5.10 through 6.18 lines. Successful exploitation grants attacker-controlled kernel memory access enabling privilege escalation to root.

Trend Micro Linux Privilege Escalation +2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection and privilege escalation in TYPO3 CMS 14.0.0 through 14.3.3 allow authenticated backend users holding write permissions on the form_definition table to bypass the Form Framework's persistence validation by submitting form configurations directly through DataHandler. Successful exploitation re-opens the attack class originally fixed in TYPO3-CORE-SA-2018-003, enabling injection of arbitrary form configurations that yield SQLi and elevation of privileges. No public exploit identified at time of analysis; not listed in CISA KEV.

Privilege Escalation SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Local privilege escalation in Siemens SINEC INS (versions prior to V1.0 SP2 Update 6) stems from a binary shipped with the Linux cap_dac_override capability, which bypasses filesystem discretionary access control checks. An authenticated local attacker can leverage this overly broad capability to read or modify any file on the system, ultimately obtaining root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Sinec Ins
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Events Calendar for GeoDirectory WordPress plugin (versions up to and including 2.3.28) allows authenticated Subscriber-level users to elevate to Administrator by abusing the ajax_ayi_action() AJAX handler, which writes attacker-controlled POST parameters directly into the wp_capabilities user meta key. The flaw stems from insufficient input filtering (strip_tags/esc_sql with no allow-list) on the type and postid fields before they reach update_user_meta(), enabling an attacker to set their own role to administrator. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 3.6
LOW Monitor

Permission control weakness in the service notifications component of Huawei HarmonyOS and EMUI allows a local, unprivileged attacker - with user interaction - to partially degrade availability across a changed scope boundary. Rooted in CWE-264 (Permissions, Privileges, and Access Controls), the flaw permits improper manipulation of notification service permissions, with impact reaching beyond the immediately vulnerable component as indicated by the CVSS Scope:Changed attribute. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the low CVSS score of 3.6 reflects constrained real-world impact limited to availability.

Privilege Escalation Emui
NVD
EPSS 0%
HIGH PATCH This Week

Cross-site request forgery in nebula-mesh's admin web UI (versions <= 0.3.2) lets a remote attacker trigger privileged operator actions - CA signing, API key minting, operator disablement, server-setting changes, and forced logout - when a logged-in operator visits an attacker-controlled page. SameSite=Lax on the session cookie does not block top-level cross-site form POSTs, sibling-subdomain attackers, or the GET /ui/logout route, so the impact is privilege escalation rather than nuisance. No public exploit identified at time of analysis beyond the working reproducer in the advisory itself.

CSRF XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation and cross-tenant resource takeover in juev/nebula-mesh versions prior to v0.3.4 allow any authenticated low-privilege operator to mint admin API keys, hijack other operators' hosts via the reenroll endpoint, and perform unauthorized CRUD across hosts, networks, and firewall rules. The `/api/v1/*` route surface trusts the bearer token for authorization without enforcing per-CA ownership checks that the Web UI applies, breaking the per-operator CA tenancy model from ADR 0002. No public exploit identified at time of analysis, though a detailed exploit chain with working curl commands is published in the GHSA advisory.

Authentication Bypass Privilege Escalation
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Privilege escalation in Apache HTTP Server 2.4.0 through 2.4.67 allows local users with .htaccess write access to read arbitrary files using the privileges of the httpd daemon process, exploiting improper privilege management (CWE-269). The attack vector is local, requires low privileges, and impacts only confidentiality - no integrity or availability impact is present. No public exploit code and no active exploitation have been identified; SSVC classifies technical impact as partial and the vulnerability as non-automatable, consistent with the targeted, local nature of the attack.

Privilege Escalation Apache Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in clash-verge-service-ipc before 2.3.0 allows unprivileged local users on macOS and Linux to interact with a world-reachable IPC socket exposed by the privileged Clash Verge service, enabling them to invoke service operations that run with elevated rights. The upstream fix (PR #23) restricts IPC permissions to 0750 on the directory and 0660 on the socket, and the patched dependency was incorporated into the Clash Verge Rev desktop client. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Privilege Escalation Clash Verge Service Ipc
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privilege escalation in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL (GlobalDatabasePlugin) allows an authenticated low-privilege RDS user to gain the privileges of another user — including rds_superuser — by planting a malicious function on an untrusted search path that executes when the targeted user connects through the wrapper. The flaw is rated CVSS 4.0 8.6 (High) and requires user interaction (the victim must initiate a connection via the wrapper), with no public exploit identified at time of analysis. A vendor patch is available in release 2026-05-26.

Privilege Escalation PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privilege escalation in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL (versions prior to 4.0.1) allows a remote authenticated low-privilege RDS user to gain the privileges of another database user - including rds_superuser - by planting a crafted function that executes when the higher-privileged user connects to the cluster through the affected wrapper. No public exploit identified at time of analysis, and the vendor (Amazon) released a fix in version 4.0.1 on 2026-05-13 that fully qualifies function calls in PostgreSQL topology detection queries to close the search-path attack surface.

Privilege Escalation PostgreSQL
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the `functionName` parameter of the `POST /runners/load-reader` endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the `require=null` sandbox is bypassed via `process.binding("spawn_sync")`. Publicly available exploit code exists (vendor-published PoC in the GHSA advisory), and the issue carries a CVSS 8.8 rating with low-complexity, low-privilege exploitation.

Privilege Escalation Code Injection RCE +2
NVD GitHub
EPSS 0%
CRITICAL POC PATCH Act Now

Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.

Python Privilege Escalation Command Injection +2
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Arista CloudVision Exchange (CVX) allows an authenticated attacker with network reach to the Redis service to obtain full root access across every server in the CVX cluster. The flaw stems from CVX's reliance on Redis for inter-node coordination combined with the fact that Redis traffic - including authentication - is transmitted in plaintext, meaning anyone who can sniff a single session can replay credentials to compromise the entire cluster. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Redis
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Argument injection in the kubectl_generic tool of mcp-server-kubernetes (npm, ≤ 3.6.2) enables Kubernetes bearer token exfiltration through indirect prompt injection, allowing privilege escalation to the operator's full RBAC permissions. An attacker with limited cluster access plants a crafted JSON payload in pod log output; when an AI agent using the MCP server reads those logs and follows the injected instruction, kubectl_generic calls kubectl with attacker-controlled --server and --insecure-skip-tls-verify flags, forwarding the operator's kubeconfig bearer token to an attacker-controlled HTTPS endpoint. A fully working public PoC exists confirmed end-to-end on a live kind cluster using Claude Haiku; the fix is available in version 3.7.0. No active exploitation per CISA KEV is confirmed at time of analysis.

OpenSSL Python Privilege Escalation +2
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Out-of-bounds heap write in X.Org X server and Xwayland DRI2 buffer handling allows a local authenticated client to corrupt server memory by requesting multiple DRI2BufferBackLeft attachments alongside one DRI2BufferFrontLeft. Successful exploitation crashes the display server or, when the X server runs setuid root (a still-common legacy deployment), enables local privilege escalation to root. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

Memory Corruption Privilege Escalation Buffer Overflow +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in the X.Org X server and Xwayland arises from a use-after-free in SyncChangeCounter() that a local authenticated attacker can trigger by orchestrating two client connections - one creating multiple SyncCounters, the other destroying them while they are being changed. On systems where the X server still runs as root (common on legacy Linux setups), successful exploitation yields root code execution; at minimum it crashes the display server. No public exploit identified at time of analysis, but the bug is confirmed by Red Hat and a fix has landed upstream in xserver.

Use After Free Memory Corruption Privilege Escalation +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in the X.Org X server and Xwayland arises from a use-after-free in FreeCounter() when SyncCounter objects are destroyed across multiple client connections. Authenticated local attackers on affected Red Hat Enterprise Linux 6 through 10 systems can crash the server or escalate to root when the X server runs with elevated privileges. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Use After Free Memory Corruption Privilege Escalation +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in X.Org X server and Xwayland stems from an incomplete fix for CVE-2025-26597, where CheckKeyTypes() fails to clamp non-canonical key types to XkbMaxShiftLevel, enabling stack-based buffer overflows. Authenticated local users on Red Hat Enterprise Linux 6 through 10 can crash the display server or, when X runs as root, escalate to root privileges. No public exploit identified at time of analysis, though the upstream commit reveals the vulnerable code path and the prior CVE-2025-26597 has known exploitation history.

Canonical Stack Overflow Buffer Overflow +6
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Stack-based buffer overflow in X.Org X server and Xwayland's _XkbSetMapChecks() function allows local authenticated attackers to crash the server or potentially escalate privileges to root when the X server runs with elevated privileges. The flaw resides in CheckKeyTypes() writing to a fixed mapWidths[256] stack buffer at a client-controlled offset, affecting Red Hat Enterprise Linux versions 6 through 10. No public exploit identified at time of analysis, but an upstream fix has been merged into the xserver repository.

Stack Overflow Buffer Overflow Privilege Escalation +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in the X.Org X server and Xwayland stems from a stack-based buffer overflow during font alias resolution, where a 256-byte server-side stack buffer is overrun by libXfont2 alias target names of up to 1023 bytes. An authenticated local attacker who can influence font alias files can crash the server or, when the X server runs as root, escalate to root privileges. No public exploit is identified at time of analysis and CVSS is 7.8 (Local/Low complexity/Low privileges).

Stack Overflow Buffer Overflow Privilege Escalation +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in X.Org X server and Xwayland enables authenticated local users to trigger a use-after-free in miSyncDestroyFence() by racing two client connections against a shared fence object. Successful exploitation can crash the display server or escalate privileges to root when the X server runs as root, which remains common on legacy and embedded Linux deployments. No public exploit identified at time of analysis, but an upstream fix has been committed by the X.Org maintainers.

Use After Free Memory Corruption Privilege Escalation +5
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Privilege escalation in Google Chrome's Extensions subsystem, affecting all versions prior to 149.0.7827.53, allows a remote attacker who socially engineers a user into installing a crafted malicious extension to gain elevated privileges within the browser context, impacting confidentiality, integrity, and availability at a low-to-moderate level. The CVSS score of 6.3 (Medium) reflects the network-reachable attack vector offset by mandatory user interaction (UI:R), and Chromium's own security team rated this as Low severity - a notable downgrade from the NVD-calculated score. No public exploit code and no KEV listing have been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) corroborates minimal observed exploitation activity.

Google Privilege Escalation Chrome
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome's ImageCapture component before 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape sandbox boundaries via a crafted HTML page. The flaw was reported by Google's internal security team and is rated medium-low by Chromium itself despite the 7.5 CVSS score, and no public exploit identified at time of analysis. SSVC indicates no known exploitation but total technical impact if successfully chained.

Google Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome's WebView component on Android prior to version 149.0.7827.53 allows a remote attacker to elevate privileges by serving a crafted HTML page to a victim. The flaw requires user interaction (visiting or rendering the malicious page) and carries a CVSS 8.8 due to the high confidentiality, integrity, and availability impact across the browser sandbox. No public exploit identified at time of analysis, and EPSS is very low at 0.04%, but Google has shipped a fix.

Google Privilege Escalation Chrome
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Discretionary access control bypass in Google Chrome's Cast feature (prior to 149.0.7827.53) allows an attacker positioned on the local network segment to interfere with Cast functionality via crafted malicious network traffic. The vulnerability stems from improper privilege management (CWE-269) within the Cast implementation, resulting in limited confidentiality and integrity impact (CVSS 5.1). No public exploit code has been identified at time of analysis, and CISA KEV listing is absent; however, the no-authentication-required condition and the network-adjacent attack surface make this relevant for environments where Chrome's Cast feature is actively used on shared or untrusted network segments.

Google Privilege Escalation Red Hat +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome for iOS prior to 149.0.7827.53 allows remote attackers to elevate privileges when a victim is lured into performing specific UI gestures on a crafted HTML page. The flaw stems from insufficient input validation in the Reading List feature and carries a CVSS 3.1 score of 8.8, though EPSS is low at 0.05% and no public exploit identified at time of analysis. Google rates the underlying Chromium severity as Low despite the high CVSS, suggesting realistic exploitability is constrained by the required user interaction.

Apple Google Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Privilege escalation in Google Chrome's Cast component (versions prior to 149.0.7827.53) allows an adjacent network attacker to elevate privileges by delivering a crafted HTML page that exploits insufficient input validation. Exploitation requires the victim to interact with the malicious content, and no public exploit has been identified at time of analysis despite a CVSS score of 8.0. Google has classified the Chromium security severity as Low, suggesting the practical impact is more constrained than the numeric score implies.

Google Privilege Escalation Red Hat +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape sandbox-style restrictions via the Extensions subsystem using a crafted HTML page. The flaw requires user interaction and high attack complexity, and is rated Low severity by the Chromium team despite the 7.5 CVSS score; no public exploit identified at time of analysis.

Google Privilege Escalation Red Hat +2
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Privilege escalation in Google Chrome's Enterprise feature (versions prior to 149.0.7827.53) allows a local attacker with physical device access to elevate privileges and access confidential information. The CVSS vector (AV:P/C:H) confirms the attack requires hands-on physical access to the target device, limiting the realistic threat surface to scenarios such as unattended or shared managed endpoints. No public exploit exists and no active exploitation has been identified at time of analysis; EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' align with the low overall risk posture.

Google Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

OS-level privilege escalation in Google Chrome on Linux prior to 149.0.7827.53 allows remote attackers to escalate privileges via malicious network traffic targeting the Chromoting (Chrome Remote Desktop) component. Google has released a patched stable channel update, and while no public exploit has been identified at time of analysis, the network-based attack vector and high impact across confidentiality, integrity, and availability warrant prompt patching. EPSS probability is very low (0.03%), and the issue is not listed in CISA KEV.

Google Privilege Escalation Chrome
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the WebView sandbox via a crafted HTML page. The flaw stems from an inappropriate implementation in WebView and is chained behind a prior renderer compromise, requiring user interaction. No public exploit identified at time of analysis, and EPSS sits at 0.03% (10th percentile), indicating no current evidence of widespread exploitation despite the high CVSS score of 9.6.

Google Privilege Escalation Chrome
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that abuses insufficient input validation in the Extensions component. Google rates the Chromium severity as Medium while NVD assigns CVSS 7.5 (High); no public exploit identified at time of analysis and CISA SSVC reports no observed exploitation.

Google Privilege Escalation Red Hat +2
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.53 stems from a use-after-free condition in the Updater component, allowing a local attacker who can place a malicious file to elevate to OS-level privileges. The flaw was reported by Google's Chrome security team with no public exploit identified at time of analysis, and EPSS scoring is very low at 0.01% reflecting minimal predicted exploitation activity. Chromium rates the severity as Medium while the CVSS base score of 7.3 reflects the high impact of OS-level privilege escalation.

Privilege Escalation Google Memory Corruption +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome on Android prior to 149.0.7827.53 allows a remote attacker to escape the browser's normal privilege boundaries by enticing a victim to visit a crafted HTML page that abuses the NFC implementation. The flaw carries a CVSS 8.8 (high) rating with high confidentiality, integrity, and availability impact, though Chromium itself classified its security severity as Medium. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis.

Google Privilege Escalation Chrome
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome on Windows prior to version 149.0.7827.53 allows an attacker with local access to elevate to OS-level privileges by planting a malicious file that the Chrome Installer processes inappropriately. The flaw stems from improper privilege management (CWE-269) in the Installer component and requires user interaction to trigger, with no public exploit identified at time of analysis and an EPSS score of 0.01% indicating very low predicted exploitation likelihood.

Google Microsoft Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome DevTools versions prior to 149.0.7827.53 allows attackers to abuse insufficient policy enforcement through a malicious browser extension. The flaw requires user interaction to install a crafted extension, after which the attacker can gain elevated privileges within the browser context. No public exploit identified at time of analysis, and EPSS scoring (0.01%) indicates very low near-term exploitation probability despite the high CVSS rating.

Google Privilege Escalation Chrome
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome on Windows prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via an integer overflow in the CredentialProvider component. Exploitation requires user interaction with a crafted HTML page and a prior renderer compromise, and no public exploit has been identified at time of analysis. Chromium rates the security severity as Medium despite the CVSS 7.5 score.

Google Microsoft Privilege Escalation +3
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Google Chrome for Android prior to 149.0.7827.53 stems from an inappropriate implementation in the Custom Tabs component, where a crafted XML file processed by a local attacker can elevate privileges within the browser context. The flaw is rated CVSS 7.3 (Chromium severity Medium) and requires user interaction, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile). A vendor patch is available in the Stable channel update referenced by the Chrome Releases advisory.

Google Privilege Escalation Chrome
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions component prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape sandbox restrictions via a crafted HTML page. Chromium rates the issue High severity; no public exploit has been identified at time of analysis and SSVC reports exploitation status as none, though the technical impact is total if chained successfully.

Google Privilege Escalation Red Hat +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.53 enables an attacker who can deliver a malicious file to a victim to elevate privileges via an inappropriate UI implementation. Google's Chromium team rated the severity as High and a stable channel patch has been released, but no public exploit has been identified at time of analysis and the issue is not currently listed in CISA KEV.

Google Microsoft Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Order state transition endpoints in Shopware's Admin API expose a vertical authorization bypass (CWE-862) where authenticated low-privileged users can manipulate order lifecycle states - including cancellation, fulfillment, and payment transitions - without holding the required `order:update` ACL privilege. The structural gap exists across both the 6.6.x and 6.7.x release lines because the affected routes in `OrderActionController.php` carry no ACL metadata, causing `AclAnnotationValidator` to exit without enforcing any privilege check, and the downstream `StateMachineRegistry` then executes writes under `Context::SYSTEM_SCOPE`. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation is mechanically trivial for any authenticated Admin API user regardless of their assigned role.

PHP Authentication Bypass Privilege Escalation
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Privilege escalation in Shopware's Admin API allows authenticated users holding only the low-privilege `user:create` or `user:update` ACL to promote any account - including newly created ones - to full administrator access. The flaw exists in `UserController::upsertUser()` across composer packages `shopware/platform` and `shopware/core`, affecting all releases below 6.6.10.18 and the 6.7.x line below 6.7.10.1. Shopware has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is straightforward for any user with delegated user-management API access.

PHP Privilege Escalation
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify other users' account attributes by submitting a crafted User.id parameter in edit requests. The UsersController::edit() function failed to strip user-supplied identifiers before processing, enabling cross-account modifications. No public exploit identified at time of analysis, but the source code fix is publicly visible in the upstream commit.

Privilege Escalation Misp
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in Red Hat OpenShift's Cloud Credential Operator (CCO) Mint-mode on AWS allows an attacker who compromises operator credentials to perform destructive actions across the entire AWS account rather than only cluster-owned resources. The over-privileged IAM policies break least-privilege boundaries, turning a single cluster credential leak into an account-wide blast radius. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Forcepoint VPN Client for Windows versions 6.11.3 and prior allows an authenticated low-privileged local user to elevate to SYSTEM. The flaw stems from execution with unnecessary privileges (CWE-250) and carries a CVSS 4.0 score of 8.5, but no public exploit identified at time of analysis. The vulnerability was reported and disclosed by Forcepoint PSIRT itself rather than a third party.

Microsoft Privilege Escalation Vpn Client
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.000019) allows low-privileged local software components to invoke administrative operations via an unprotected Broadcast Receiver. CVSS 4.0 scores this 8.5 (High) with local attack vector and low privileges required, and no public exploit has been identified at time of analysis.

Privilege Escalation Connect M6E 5G Portable Wifi Router
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Local privilege escalation in NetworkManager's dhclient backend allows a low-privileged local user to execute arbitrary OS commands with elevated privileges by supplying a crafted Manufacturer Usage Description (MUD) URL. Exploitation is strictly limited to systems where an administrator has explicitly reconfigured NetworkManager to use the dhclient backend - a non-default setting - meaning the vast majority of deployments are unaffected by design. CVSS 6.7 (local vector, high complexity, user interaction required) accurately reflects the constrained exploitation conditions; no public exploit code or CISA KEV listing exists at time of analysis.

Privilege Escalation Command Injection Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) enables a low-privileged local user to execute code in a higher-privileged context by abusing insecure DLL search behavior. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the combination of low complexity and a security product as the target makes it a credible insider/post-compromise risk. Exploitation requires local access plus user interaction, which limits drive-by mass abuse.

Microsoft Privilege Escalation
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) enables an authenticated low-privileged user to execute code in a higher-privileged context by abusing uncontrolled DLL search path loading. Exploitation requires local access plus user interaction, and at the time of analysis no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The vendor (Acronis PSIRT) has published advisory SEC-11249 with a fixed build.

Microsoft Privilege Escalation
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) allows a low-privileged local user to hijack the execution of a trusted DeviceLock executable and run arbitrary code with elevated rights. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), commonly seen when an application loads a binary from a writable or attacker-controllable location. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Microsoft Privilege Escalation
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Acronis DeviceLock DLP for Windows before build 9.0.15051.93227 allows a low-privileged authenticated user to gain elevated privileges by abusing excessive permissions inherited by child processes spawned by the agent. With CVSS 7.3 and a high impact across confidentiality, integrity, and availability, successful exploitation requires user interaction and local access, and no public exploit identified at time of analysis.

Microsoft Privilege Escalation
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in SWUpdate versions before 2026.05 allows unprivileged users to gain root or install attacker-controlled content by winning a TOCTOU race during processing of a signed update. The flaw, reported by SBA Research and tracked as EUVD-2025-210052, undermines SWUpdate's signed-update integrity model on embedded Linux devices. No public exploit identified at time of analysis, but an upstream patch is available via commit f4bd6426.

Privilege Escalation Swupdate
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Mojoomla School Management WordPress plugin (versions up to and including 93.2.0) allows authenticated low-privileged users to elevate their permissions to higher-privileged roles such as administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 3.1 score of 8.8 with no public exploit identified at time of analysis. Any WordPress site running the plugin in its default state is vulnerable until an upstream patch is released.

Privilege Escalation School Management
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

RCE Privilege Escalation Protector Software
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

RCE Privilege Escalation Protector Software
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Sandbox escape in Sony PlayStation 4 firmware versions 13.00 through 13.02 allows attackers to break out of the BD-J (Blu-ray Disc Java) sandbox by supplying a malformed JAR file, leading to privilege escalation with full impact on confidentiality, integrity, and availability. The flaw, tracked via HackerOne report 3452696 and CWE-367 (TOCTOU race condition), is rated CVSS 7.4 because the local attack vector and high attack complexity offset the unauthenticated nature of the exploit. EPSS is 0.02% (5th percentile) and no public exploit identified at time of analysis.

Privilege Escalation Ps4
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in National Instruments NI-PAL versions 26.3.0 and earlier on Windows and Linux allows authenticated low-privileged users to read arbitrary system memory through improper input validation, potentially leading to full privilege escalation. CVSS 4.0 base score is 8.4 (High) reflecting the local attack vector but high confidentiality and integrity impact. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Dell ThinOS 10 versions prior to ThinOS10 2602_10.0765 allows a low-privileged user with local access to elevate to higher privileges due to improper access control (CWE-284). The CVSS 3.1 base score of 7.8 reflects high impact on confidentiality, integrity, and availability, though exploitation requires existing local foothold. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Dell Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Themeisle Masteriyo LMS PRO (WordPress plugin) up to and including version 2.20.0 allows remote unauthenticated attackers to gain elevated privileges through incorrect privilege assignment (CWE-266). The CVSS 9.8 score reflects network-reachable, no-authentication exploitation with high impact to confidentiality, integrity, and availability; no public exploit identified at time of analysis, but the Patchstack advisory confirms the flaw class and affected version range.

Privilege Escalation Masteriyo Lms Pro
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account takeover in the Kirki Freeform Page Builder WordPress plugin (versions 6.0.0 through 6.0.6) allows unauthenticated remote attackers to hijack any registered account, including administrators, by redirecting password reset links to attacker-controlled email addresses. The flaw stems from the plugin honoring an arbitrary email value supplied alongside a valid username in password reset requests, breaking the trust binding between account and recovery destination. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's published advisory make weaponization straightforward.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying operating system through a specific dialog. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Infinity Explorer C700
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Android's AppOpsService (AppOpsService.java) exposes protected system or user information to low-privileged local applications due to missing permission checks across multiple functions, enabling unauthorized information disclosure without requiring additional execution privileges. Affected versions span Android 14 through Android 16-QPR2, representing a broad swath of active Android deployments in use today. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); SSVC rates exploitation as none with only partial technical impact, placing this at low urgency for most organizations.

Privilege Escalation Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android 16 and 16-qpr2 allows an attacker with low-privilege code execution on the device to gain elevated privileges by exploiting an incorrect bounds check that causes a desync in persistence logic across multiple functions. Categorized as CWE-120 buffer overflow with high confidentiality, integrity, and availability impact, the flaw requires no user interaction and has no public exploit identified at time of analysis. CISA SSVC scoring indicates no observed exploitation but rates technical impact as total.

Privilege Escalation Buffer Overflow
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from a tapjacking/overlay weakness in the addWindow function of WindowManagerService.java. A locally-installed malicious app holding low privileges can draw deceptive overlays to hijack user taps and gain elevated permissions without requiring further user interaction. No public exploit identified at time of analysis, and SSVC indicates exploitation is not currently observed, but technical impact is rated total.

XSS Privilege Escalation
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android (versions 14, 15, 16, and 16-qpr2) stems from a heap buffer overflow in the LoadedArsc.cpp resource table loader, allowing a low-privileged local process to write out of bounds and gain elevated execution privileges without user interaction. No public exploit identified at time of analysis, and SSVC scoring indicates exploitation has not been observed despite a 'total' technical impact rating. Patches are tracked in the June 2026 Android Security Bulletin.

Privilege Escalation Heap Overflow Buffer Overflow
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged local app to launch an arbitrary activity from the background by abusing a logic error in HostEmulationManager.onNullBinding(). Exploitation requires user interaction but no extra execution privileges, and no public exploit has been identified at time of analysis.

Privilege Escalation
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to bypass activity start restrictions through a confused deputy flaw in getCallingPackageName of Shared.java. No user interaction is required, and exploitation can yield high impact to confidentiality, integrity, and availability. No public exploit is identified at time of analysis, and SSVC indicates no observed exploitation in the wild.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Privilege escalation in Google Android Bluetooth Low Energy (LE) pairing affects Android 14, 15, 16, and 16-qpr2, where a logic error allows an adjacent attacker to bypass the user interaction step normally required during LE device pairing. Successful exploitation grants elevated privileges without requiring the victim to approve the pairing prompt, and per SSVC the technical impact is total. No public exploit identified at time of analysis.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android 16 and Android 16-qpr2 allows a low-privileged app to deceive the user into forgetting a paired Bluetooth or companion device via a misleading UI in the ForgetDeviceDialogFragment. No public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none' with total technical impact. The flaw is a UI spoofing weakness (CWE-451) reachable without any user interaction beyond normal dialog acknowledgement.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Local privilege escalation in the Android Bluetooth stack (Android 14, 15, 16, and 16-qpr2) allows an adjacent attacker to corrupt the heap of the privileged Bluetooth process via an integer overflow in l2c_fcr_clone_buf. No user interaction or additional execution privileges are required, and at time of analysis there is no public exploit identified, though SSVC rates the technical impact as total.

Privilege Escalation Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android 14 through 16-qpr2 stems from misleading UI rendering in KeyChainActivity's getApplicationLabel function, which can deceive users into granting certificate access to a malicious application. SSVC indicates no observed exploitation and the attack is not automatable, but technical impact is rated total, and no public exploit was identified at time of analysis.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from a misleading UI caused by UI obfuscation across multiple components, enabling a low-privileged local app to elevate privileges without user interaction. No public exploit identified at time of analysis, and SSVC indicates exploitation status is 'none' despite a total technical impact rating.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged shell user to execute code within the launcher process due to over-privileged shell user permissions in multiple code locations. The flaw requires no user interaction and no additional execution privileges, enabling an attacker with shell-level access to gain elevated privileges. No public exploit identified at time of analysis, and SSVC indicates no observed exploitation, though technical impact is rated total.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (16-qpr2) allows a low-privileged local app to install unverified applications by abusing missing permission checks in PackageInstallerService.java. The flaw requires no user interaction and no public exploit identified at time of analysis, but its presence on Android's app install path makes it a strong candidate for inclusion in malicious app payloads.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android 14, 15, 16, and 16-qpr2 stems from the getCallingAppLabel function in CertInstaller.java rendering a misleading or insufficient UI that can hide a sensitive security dialogue. A local low-privileged app can leverage this UI spoofing weakness (CWE-451) to obtain elevated privileges without requiring any user interaction. There is no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android 14, 15, 16, and 16-qpr2 allows a malicious app to hijack arbitrary App Links due to a logic flaw in DomainVerificationService.approvalLevelForDomainInternal. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the bug requires no user interaction and no additional execution privileges, making it attractive for chaining within malicious apps. Google addressed the issue in the June 2026 Android Security Bulletin.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Local privilege escalation in Google Android 16-QPR2 enables an unprivileged local actor to delete device supervision data by exploiting a missing null check in the onCreate() method of DisableSupervisionActivity.kt, effectively dismantling enterprise MDM controls without requiring elevated privileges or user interaction. The flaw (CWE-269: Improper Privilege Management) is bounded to local access but operates with no authentication prerequisite, making it exploitable by any installed app or local user on a supervised managed device. No public exploit identified at time of analysis, and an EPSS of 0.01% reflects negligible observed exploitation probability; however, organizational risk in enterprise Android deployments is disproportionately higher than the base score suggests.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from improper input validation in the setGlobalProxy method of DevicePolicyManagerService.java, causing a desynchronization in persistence state. A local attacker with low-level privileges can exploit this without user interaction to elevate to higher privileges on the device, with no public exploit identified at time of analysis and an EPSS score of 0.01% indicating minimal observed exploitation activity.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android 16-qpr2 stems from a logic error in ActivityRecord.java's resumeConfigurationDispatch routine that permits unauthorized background activity launches (BAL bypass). A local attacker with low privileges can elevate to higher privileges without any user interaction, with no public exploit identified at time of analysis and an EPSS score of 0.01% indicating very low near-term exploitation probability.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android 14, 15, and 16 (including 16-qpr2) stems from an out-of-bounds read in the validateNode function of ResourceTypes.cpp, part of the Android resource parsing layer. A local attacker running an unprivileged app can leverage the flaw to elevate privileges without user interaction. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue is addressed in the June 2026 Android Security Bulletin.

Privilege Escalation Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

SQL injection across multiple contacts database functions in Google Android enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated privileges or user interaction. The flaw allows an unprivileged local process or malicious application to inject arbitrary SQL into contacts database queries, resulting in unauthorized read, write, and partial denial-of-service impact against contact data. No public exploit has been identified at time of analysis, and EPSS probability stands at 0.01%, consistent with a local-only attack surface, though the absence of any privilege prerequisite (PR:N) lowers the bar for any attacker already on the device.

Privilege Escalation SQLi
NVD VulDB
Prev Page 5 of 148 Next

Quick Facts

Typical Severity
HIGH
Category
auth
Total CVEs
13299

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy