Skip to main content

Privilege Escalation

auth HIGH

Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted.

How It Works

Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted. The attack exploits the gap between what the system thinks a user can do and what they actually can do through manipulation or exploitation.

Vertical escalation is the classic form—a regular user obtaining administrator rights. This happens through kernel exploits that bypass OS-level security, misconfigurations in role-based access control (RBAC) that fail to enforce boundaries, or direct manipulation of authorization tokens and session data. Horizontal escalation involves accessing resources belonging to users at the same privilege level, typically through insecure direct object references (IDOR) where changing an ID in a request grants access to another user's data.

Context-dependent escalation exploits workflow logic by skipping authorization checkpoints. An attacker might access administrative URLs directly without going through proper authentication flows, manipulate parameters to bypass permission checks, or exploit REST API endpoints that don't validate method permissions—like a read-only GET permission that can be leveraged for write operations through protocol upgrades or alternative endpoints.

Impact

  • Full system compromise through kernel-level exploits granting root or SYSTEM privileges
  • Administrative control over applications, allowing configuration changes, user management, and deployment of malicious code
  • Lateral movement across cloud infrastructure, containers, or network segments using escalated service account permissions
  • Data exfiltration by accessing databases, file systems, or API endpoints restricted to higher privilege levels
  • Persistence establishment through creation of backdoor accounts or modification of system configurations

Real-World Examples

Kubernetes clusters have been compromised through kubelet API misconfigurations where read-only GET permissions on worker nodes could be escalated to remote code execution. Attackers upgraded HTTP connections to WebSockets to access the /exec endpoint, gaining shell access to all pods on the node. This affected over 69 Helm charts including widely-deployed monitoring tools like Prometheus, Grafana, and Datadog agents.

Windows Print Spooler vulnerabilities (PrintNightmare class) allowed authenticated users to execute arbitrary code with SYSTEM privileges by exploiting improper privilege checks in the print service. Attackers loaded malicious DLLs through carefully crafted print jobs, escalating from low-privilege user accounts to full domain administrator access.

Cloud metadata services have been exploited where SSRF vulnerabilities combined with over-permissioned IAM roles allowed attackers to retrieve temporary credentials with elevated permissions, pivoting from compromised web applications to broader cloud infrastructure access.

Mitigation

  • Enforce deny-by-default access control where permissions must be explicitly granted rather than implicitly allowed
  • Implement consistent authorization checks at every layer—API gateway, application logic, and data access—never relying on client-side or single-point validation
  • Apply principle of least privilege with time-limited, scope-restricted permissions and just-in-time access for administrative functions
  • Audit permission inheritance and role assignments regularly to identify overly permissive configurations or privilege creep
  • Separate execution contexts using containers, sandboxes, or capability-based security to limit blast radius
  • Deploy runtime monitoring for unusual privilege usage patterns and anomalous access to restricted resources

Recent CVEs (13299)

EPSS 0% CVSS 5.9
MEDIUM This Month

Tapjacking and UI overlay exploitation in Android's WindowState.java enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated permissions from the attacker. A malicious app on the device can deploy a deceptive overlay over system permission dialogs, causing the victim to unknowingly grant elevated permissions. No public exploit has been identified at time of analysis, and EPSS at 0.01% (1st percentile) indicates very low current exploitation probability, though the broad Android version coverage across actively maintained releases elevates the aggregate exposure.

XSS Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM This Month

Path traversal in Android's PackageInstallerService allows a local, unprivileged attacker to redirect a Device Policy Controller (DPC) installation into an unintended filesystem directory via a crafted install session, enabling local escalation of privilege on Android 14 through Android 16. No public exploit code has been identified at time of analysis, and EPSS at 0.01% (1st percentile) reflects minimal observed exploitation probability. The local attack vector (AV:L) constrains real-world exposure to scenarios where the attacker already has physical or application-level access to the device, materially limiting the attack surface compared to network-exploitable flaws.

Privilege Escalation Path Traversal
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Local information disclosure in Android's Bluetooth stack allows a low-privileged application to bypass permission enforcement in handleBondStateChanged of AdapterService.java, exposing sensitive Bluetooth bonding state data without requiring any user interaction. Affected versions include Android 15, Android 16, and Android 16-qpr2, as confirmed by the June 2026 Android Security Bulletin and EUVD-2026-33779. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, placing it in the lower tier of operational priority despite the permission bypass nature of the flaw.

Privilege Escalation Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-QPR2) stems from a tapjacking/overlay flaw in the hide() method of WindowState.java, enabling a locally installed malicious application to covertly redirect a user's permission approval to itself. An attacker who has placed an app on the device can silently overlay a transparent window atop a system permission dialog, causing the user's tap to be misinterpreted as consent for sensitive permissions the attacker's app requested. No active exploitation is confirmed (absent from CISA KEV), no public exploit code has been identified, and the EPSS score of 0.01% (1st percentile) reflects negligible observed exploitation probability at time of analysis.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM This Month

Tapjacking via the InputInterceptor component in Android's Letterbox.java enables a locally-installed malicious app to silently capture unintended permission grants on Android 14, 15, and 16, resulting in local privilege escalation with high confidentiality impact. The vulnerability requires no elevated privileges on the part of the attacking application and is reported by Google as needing no user interaction for exploitation - a claim that is in notable tension with the tapjacking mechanism described, which inherently involves intercepting user touch events. No public exploit code exists and no active exploitation has been confirmed (EPSS 0.01%, percentile 1%), but the ease of local attack (AV:L/AC:L) and breadth of affected Android versions make patch deployment a priority for enterprise and consumer device fleets.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in the Android Bluetooth stack (versions 14, 15, 16, and 16-qpr2) allows an attacker with low privileges to bypass the bonding requirement for secure RFCOMM connections via a logic flaw in bta_jv_rfcomm_connect. No user interaction is required, and no public exploit identified at time of analysis, though Google has issued a fix in the June 2026 Android Security Bulletin.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Persistent denial of service and local privilege escalation in Google Android's UBSan runtime component affect Android 14, 15, 16-qpr2, and 16, stemming from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. An authenticated local attacker with low-level privileges and no required user interaction can exploit this overflow to trigger persistent availability loss and, per the description, possible privilege escalation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Privilege Escalation Denial Of Service Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) is possible via a tapjacking/overlay attack against the startAnimation function in StageCoordinator.java. An attacker with local code execution can elevate privileges without user interaction or additional execution rights. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.01%).

XSS Privilege Escalation
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Improper privilege management in Android 16 and 16-QPR2 allows a local low-privileged user to override credential provider settings across user profiles by exploiting a permissions bypass in the `updateProvidersWhenServiceRemoved` method of `CredentialManagerService.java`. The CVSS vector confirms local-only exploitation (AV:L) by an authenticated low-privilege account (PR:L) with no user interaction required, yielding limited confidentiality impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Privilege Escalation Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android 15 and 16 enables a low-privileged app to perform tapjacking due to a logic error spanning multiple code locations, with no user interaction required. The flaw, tracked as CVE-2026-0009 and disclosed in the June 2026 Android Security Bulletin, has no public exploit identified at time of analysis, but SSVC scoring deems exploitation automatable with partial technical impact. EPSS is very low (0.01%, 1st percentile), suggesting limited near-term mass exploitation pressure.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android 15, 16, and 16-qpr2 enables a low-privileged process to bypass Mobile Device Management (MDM) policy controls through a logic error in the InstallRepository.kt performPreInstallChecks function. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%, but the flaw permits silent policy circumvention without user interaction on enterprise-managed devices. Patched in the June 2026 Android Security Bulletin.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android versions 14, 15, 16, and 16-qpr2 allows a malicious app to reset user-selected permission choices by bypassing the permission enforcement logic (CWE-693, Protection Mechanism Failure). The flaw requires no user interaction and only low privileges already available to any installed app, but at present there is no public exploit identified at time of analysis and EPSS rates real-world exploitation probability at just 0.01%.

Privilege Escalation
NVD VulDB
EPSS 0% 4.7 CVSS 8.4
HIGH POC KEV THREAT Act Now

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from an integer overflow (CWE-190) that can be triggered without user interaction to achieve code execution. With CVSS 8.4 and SSVC technical impact rated 'total,' a local attacker on the device can elevate privileges across security boundaries without additional execution rights. No public exploit identified at time of analysis and SSVC reports exploitation status as 'none.'

Privilege Escalation RCE Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android 14's PipTaskOrganizer component allows a low-privileged app to launch activities from the background by abusing a confused deputy condition, requiring no user interaction. The CVSS 7.8 (AV:L/AC:L/PR:L) reflects local attack vector with low privileges, and per the available data there is no public exploit identified at time of analysis (EPSS 0.01%, not on CISA KEV).

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to launch background activities without the required permission check, enabling elevation to higher-privileged execution contexts without user interaction. The flaw, tracked as EUVD-2025-210011 and addressed in the June 2026 Android Security Bulletin, carries a CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N) with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and EPSS is 0.01%, indicating very low predicted exploitation probability in the near term.

Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android 14 and 15 allows a low-privileged app to bypass the user disclaimer dialog when adding an account to a managed automotive device, due to a missing permission check in CarDevicePolicyService.setUserDisclaimerAcknowledged. The flaw enables silent account provisioning on managed (enterprise) car devices without the user's awareness or consent, and no public exploit is identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation as 'none', so the issue is real but not currently weaponized.

Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to access URIs belonging to other users on the device due to a logic error across multiple functions in ComputerEngine.java. No user interaction or additional execution privileges are required, but exploitation is local and currently no public exploit is identified at time of analysis (EPSS 0.12%, SSVC exploitation: none).

Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Google Android 14, 15, 16, and 16-qpr2 allows a local attacker with low privileges to reveal images across user boundaries through improper input validation in multiple code locations. The flaw requires user interaction but no additional execution privileges, and carries a CVSS 7.8 (High) rating. EPSS exploitation probability is low at 0.09% (26th percentile), and there is no public exploit identified at time of analysis.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local privilege escalation in CodexBar prior to 0.32.0 allows a same-user attacker to execute arbitrary commands as root by winning a TOCTOU race against the CLI installer's temporary file. The installer writes a privileged shell payload via mktemp and invokes it through bash under an administrator prompt, leaving a window in which the file body can be swapped before approval. No public exploit identified at time of analysis, but VulnCheck published an advisory and the upstream patch is merged.

Privilege Escalation Codexbar
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Google Android XR stems from a missing permission check in InputMethodManagerService.addInputMethodListener, allowing an app or local context to register input method listeners without the authorization the IME subsystem normally requires. The flaw needs no user interaction and no additional execution privileges, and is addressed in the June 2026 Android XR security bulletin; no public exploit identified at time of analysis.

Google Privilege Escalation Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Cloud Foundry smb-volume-release (prior to v3.60.0) and CF Deployment (prior to v56.0.0) lets a low-privileged CF space developer smuggle arbitrary CIFS mount options past the mount-option allowlist, gaining kernel-level mount control on shared Diego cells. The flaw maps to CWE-88 (argument injection) and carries CVSS 8.1 with low-privilege network exploitation; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Smb Volume Release Cf Deployment
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Privilege escalation in the Nextcloud Approval app (prior to version 2.7.2) allows authenticated users who lack sharing permissions to force the platform to distribute restricted files to approval workflow participants. By invoking the approval request flow with the createShares flag enabled, a user can bypass the system's file-sharing authorization controls entirely, causing files marked as non-shareable to be shared with designated approvers. No public exploit has been identified at time of analysis, but a vendor-confirmed patch and upstream PR diff are available.

Privilege Escalation Authentication Bypass Nextcloud
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the AIWU (AI Copilot Content Generator) WordPress plugin by Sergey, affecting all versions up to and including 1.4.17, allows remote unauthenticated attackers to gain elevated privileges on a target WordPress site. The CVSS 9.8 score with AV:N/PR:N indicates no authentication is required and the attack can be carried out over the network against any site running a vulnerable installation. No public exploit identified at time of analysis, but the Patchstack reference indicates this was identified through their managed audit program for WordPress plugins.

Privilege Escalation
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the Contest Gallery Pro WordPress plugin (versions up to and including 29.0.1) allows remote unauthenticated attackers to gain elevated privileges within affected WordPress sites due to incorrect privilege assignment (CWE-266). The CVSS 9.8 score combined with network-reachable, no-authentication exploitation makes this a critical-severity issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack's audit team and currently has no entry in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{id} request. The DELETE endpoint enforces only member-level authorization instead of owner-level, and the destructive action is silent, immediate, and without recovery path. No public exploit identified at time of analysis, but source-level analysis confirms the gap and a vendor patch is available.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

{workspace_id}/members. The endpoint enforces only the default member-tier gate and forwards the caller-supplied role directly to MemberService.add, which validates the role string but never checks the caller's permission to assign it. No public exploit identified at time of analysis, but a detailed exploit chain is documented in the vendor advisory.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{workspace_id} endpoint. The CVSS vector (PR:L/AC:L/AV:N/UI:N/I:H) confirms this is a low-complexity network attack requiring only member-tier credentials, and the integrity impact is rated High because the settings field can be used as a configuration-injection primitive - redirecting LLM provider URLs, webhook endpoints, or invite flows to attacker-controlled infrastructure. No public exploit identified at time of analysis, though the exploit chain is trivially reproducible from the published GitHub Security Advisory GHSA-rcmc-q9rj-4wmq.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Apache ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5 allows authenticated low-privilege web-login users to invoke administrative Jolokia operations such as addQueue and removeQueue due to overly permissive default authorization settings. The CVSS 8.8 score reflects high impact on confidentiality, integrity, and availability, though EPSS exploitation probability sits at just 0.01% and no public exploit identified at time of analysis. The flaw effectively collapses the broker's privilege boundary between normal web users and administrators.

Privilege Escalation Apache
NVD VulDB
EPSS 0% CVSS 3.5
LOW Monitor

Incorrect permission enforcement in OTRS External Interface and ConfigItem List module allows an authenticated customer to query Configuration Item (CI) data beyond their authorized group scope. The flaw is conditional - both the CMDB module and CustomerGroupSupport must be active simultaneously, substantially narrowing the affected population. Rated CVSS 3.5 (Low) with no confirmed active exploitation and no public exploit code identified at time of analysis, this is a scoped information disclosure risk primarily threatening organizations that expose CMDB asset data through the customer portal.

Privilege Escalation Otrs
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Information disclosure in OTRS Document Search Article Meta Filters modules (present in both STORM-powered OTRS and standalone OTRS 2026.x) permits authenticated low-privileged users to enumerate metadata - specifically the count of Configuration Items (CIs), SLAs, and services - for objects they are not authorized to access. Affected versions span OTRS with STORM modules 7.0.X through 2026.X before 2026.4.X, making this a broad version-range exposure with a low CVSS score of 3.5. No public exploit identified at time of analysis and the vulnerability has not been added to the CISA KEV catalog.

Privilege Escalation Otrs
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in MediaTek GenieZone (trusted execution environment) allows an attacker who has already gained System-level privileges on an affected device to write out-of-bounds memory and escalate further on the chipset. The flaw affects a broad range of MediaTek chipsets used in mobile and embedded devices, with no public exploit identified at time of analysis. CVSS is 7.8 (High) reflecting the high integrity, confidentiality, and availability impact despite the local attack vector.

Privilege Escalation Memory Corruption Buffer Overflow +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Local privilege escalation in MediaTek's GenieZone hypervisor component affects 36 distinct chipsets via a race condition-induced out-of-bounds write. An attacker who has already obtained System-level privilege on an affected Android device can exploit the TOCTOU flaw to escalate further - likely to kernel or hypervisor-level execution - achieving full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and no KEV listing exists; however, the wide chipset footprint spanning flagship to budget SoCs significantly broadens the potential attack surface.

Privilege Escalation Buffer Overflow Mediatek Chipset
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to flagship tiers. An attacker who has already achieved System-level privilege can trigger an out-of-bounds write caused by a missing bounds check, escalating further - likely into kernel or hypervisor trust boundaries - with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and this is not listed in the CISA KEV catalog; however, the post-compromise escalation path makes this relevant to threat actors performing multi-stage device compromise on Android-based MediaTek hardware.

Privilege Escalation Memory Corruption Buffer Overflow +1
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper privilege management in nextlevelbuilder GoClaw up to version 3.11.3 allows authenticated low-privileged users to escalate privileges via the handleSave function of the RoleAdmin Gateway component (internal/http/tts_config.go). The vulnerability is remotely exploitable over the network with no user interaction required, though a low-privilege authenticated session is a prerequisite per the CVSS:4.0 vector (PR:L). A publicly available proof-of-concept exists (published via GitHub issue #1118), but this CVE has not been added to the CISA KEV catalog. The CVSS 4.0 base score of 2.1 (LOW) reflects constrained confidentiality, integrity, and availability impact with no scope change to downstream systems.

Privilege Escalation Goclaw
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Spectra Gutenberg Blocks WordPress plugin (versions up to and including 2.19.25) allows authenticated users with Contributor-level access or higher to execute arbitrary PHP on the server by abusing the plugin's block rendering logic. The flaw stems from the plugin trusting attacker-controlled block attributes to register a fake uagb/-prefixed block type with an arbitrary render_callback, which is then invoked via call_user_func() when a second block of the same type is rendered in the same request. No public exploit identified at time of analysis, but the low privilege bar (Contributor is commonly granted to untrusted guest authors) makes this a high-priority issue for sites with open registration.

Privilege Escalation RCE WordPress
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

{workspace_id}/members/{user_id} request. The route's FastAPI dependency defaults to min_role="member" and is never overridden, while the service layer applies the requested role with no caller-privilege or role-hierarchy checks. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-c2m8-4gcg-v22g) provides full reproduction details and a fix is shipped in 0.1.4.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{workspace_id}/members/{user_id}`, which defaults to `min_role="member"` instead of requiring owner/admin privileges, and there is no public exploit identified at time of analysis.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Vertical privilege escalation in PraisonAI Platform versions 0.1.2 and earlier allows any authenticated low-privilege workspace member to self-promote to owner and take over the workspace. The flaw stems from administrative FastAPI routes reusing a shared authorization dependency that defaults to the lowest 'member' role, so role-mutation endpoints never enforce admin/owner checks. A working PoC is published in the GHSA-h37g-4h4p-9x97 advisory, though no public exploit identified at time of analysis in mass-exploitation form, and the issue is not currently in CISA KEV.

Privilege Escalation Python Authentication Bypass
NVD GitHub
EPSS 0%
CRITICAL PATCH Act Now

Cross-tenant IDOR and privilege escalation in PraisonAI Platform (pip package praisonai-platform <= 0.1.2) allow any registered user to read, modify, or delete agents, issues, projects, labels, comments, and dependencies across every workspace, and to promote themselves to admin/owner of any workspace they are invited to. The FastAPI `require_workspace_member` dependency validates membership against the URL prefix workspace but never checks that nested resource IDs belong to that workspace, while privileged member-management routes inherit the default `min_role="member"` instead of requiring admin/owner. Publicly available exploit code exists in the form of a reporter-supplied PoC, open registration on the default `0.0.0.0:8000` bind makes exploitation trivial, and CVSS, EPSS, and CISA KEV signals are not provided in the supplied data.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-workspace IDOR and member-to-owner privilege escalation in PraisonAI Platform API (pip package praisonai-platform <= 0.1.2) lets any authenticated user read, modify, and delete issues and projects belonging to other tenants, and lets any workspace member promote themselves to owner and evict the legitimate owner. The two flaws chain together: a single member-level invite to any workspace becomes platform-wide data access plus full takeover of any workspace the attacker is added to. No public exploit identified at time of analysis beyond the detailed PoC published in the GHSA advisory, and the issue is not in CISA KEV.

Privilege Escalation Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Excessive RBAC permissions in the Metal3 ip-address-manager (IPAM) controller's ClusterRole expose Kubernetes Secrets to post-compromise abuse. The metal3-ipam-controller-manager-role granted full CRUD on core/v1 Secrets - yet PR diff evidence confirms the controller never accesses Secrets in normal operation, making these permissions entirely unnecessary. If the controller pod is compromised via a supply chain attack or container escape, an attacker inheriting the controller's service account token can read, modify, or delete any Secret in the namespace, turning a narrow container compromise into cluster-wide credential exfiltration. No public exploit exists and no CISA KEV listing, but the confidentiality impact is rated High (C:H) by NVD.

Privilege Escalation Information Disclosure Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass +1
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Shopper headless e-commerce admin panel prior to version 2.8.0 allows any low-privilege authenticated panel user to seize full administrator control by chaining two distinct broken-authorization defects in the team settings module. By combining an unprotected Settings/Team/Index mount with a RolePermission write path that only checks the read-only view_users permission, an attacker can mint new roles, grant themselves manage_users and edit_orders, and delete legitimate administrators. No public exploit identified at time of analysis, but the bugs are straightforward to weaponize once panel credentials are obtained.

Privilege Escalation Shopper
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Local privilege escalation in Plesk's APS Application Catalog allows an authenticated low-privileged user to execute arbitrary operating system commands by injecting malicious XPath syntax into the catalog search functionality. The flaw carries a critical CVSS 3.1 score of 9.9 due to scope change and full CIA impact, and no public exploit identified at time of analysis. The advisory was disclosed via HackerOne and acknowledged in a Plesk support article, but EPSS and KEV signals are not provided in the available intelligence.

Privilege Escalation
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Privilege escalation in OpenClaw's Slack plugin approval workflow allows authenticated users holding limited exec permissions to bypass operator-configured approval splits by resolving plugin approvals through the exec approver gate - approving actions outside their intended authorization boundary. All OpenClaw versions before 2026.5.12 are affected when the Slack plugin is deployed with approval split configurations. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 2.3 accurately reflects its narrow real-world impact, constrained by prerequisites and a low impact ceiling.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Froxlor 2.3.6 allows an authenticated customer with shell access to gain root SSH on the managed host by exploiting a symlink-following flaw in the root-owned SSH key synchronization cron. By replacing the customer's `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys` before the privileged sync runs, attacker-supplied keys are appended to root's authorized_keys. No public exploit identified at time of analysis beyond the detailed PoC in the GHSA advisory, and the issue is fixed in Froxlor 2.3.7.

Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportIAMAction abuse the PUT /rustfs/admin/v3/import-iam endpoint to mint service accounts under arbitrary parent identities - including the root minioadmin user - granting full administrative control via attacker-chosen, persistent credentials. CVSS 4.0 scores this 9.3 (Critical) reflecting low attack complexity, low privileges, and high confidentiality/integrity impact with scope change. No public exploit identified at time of analysis, and no EPSS or KEV signal is provided.

Privilege Escalation Rustfs
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated privilege escalation in the WP Maps Pro WordPress plugin (all versions through 6.1.0) allows attackers to create a new administrator account and authenticate as that user, resulting in complete site takeover. The flaw stems from an AJAX handler exposed to unauthenticated users and protected only by a publicly-embedded nonce, making the access check ineffective. No public exploit identified at time of analysis, but the trivial nature of the bug (default-enabled handler, no authentication, magic login URL returned to the caller) makes weaponization straightforward once details circulate.

Privilege Escalation WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Privilege escalation in the Drupal SAML SSO - Service Provider contributed module (versions prior to 3.1.4) allows remote unauthenticated attackers to gain elevated privileges by exploiting improper handling of exceptional conditions during SAML authentication flows. The CVSS 7.4 (High) score reflects high attack complexity but network reachability and no authentication requirement, with confidentiality and integrity impact. EPSS probability is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Privilege Escalation Saml Sso Service Provider
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated arbitrary file read in Arcane (Docker management UI) versions ≤ 1.19.3 allows any low-privileged user to read any file accessible to the backend process by abusing Docker Compose `include:` directives. Because `CreateProject` skips include-path validation that `UpdateProject` enforces, an attacker can register a project whose compose file points at `/etc/passwd` or `/app/data/arcane.db`, then fetch the contents via the project file API - yielding stored password hashes and API keys for all users, enabling admin takeover and host RCE through Arcane's Docker control plane. No public exploit identified at time of analysis; vendor patch is available in 1.19.4.

Docker Path Traversal Privilege Escalation
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in the Advanced Custom Fields: Extended (ACFE) WordPress plugin through version 0.9.2.5 allows remote attackers to create new administrator-level accounts on vulnerable sites. The flaw stems from the after_validate_save_post() function trusting an attacker-controlled POST parameter to bypass role allow-list and capability validation when a public ACFE frontend form with a Create User action is exposed. With a CVSS 9.8 and no public exploit identified at time of analysis, the vulnerability presents a direct site-takeover path on affected configurations.

Privilege Escalation WordPress Advanced Custom Fields
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers an inappropriate implementation flaw in the ANGLE graphics layer. The issue is rated High by Chromium and carries a CVSS 3.1 score of 8.8 with user interaction required; no public exploit identified at time of analysis and EPSS is low at 0.04%.

Privilege Escalation RCE Google +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox via a crafted HTML page that triggers an inappropriate implementation flaw in the Tint graphics component. The issue carries a CVSS 9.6 (scope-changed) rating reflecting cross-boundary impact, requires user interaction (visiting a malicious page), and is rated High severity by Chromium; there is no public exploit identified at time of analysis and EPSS is low at 0.03%.

Privilege Escalation Google Chrome
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting an inappropriate implementation in the Skia graphics library. Chromium rates the underlying issue as Critical severity, though no public exploit is identified at time of analysis and EPSS is very low at 0.03%. This is a chain-stage bug - exploitation requires a pre-existing renderer compromise, making it valuable as the second link in a full Android browser exploit chain rather than a standalone vector.

Privilege Escalation Google Chrome
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Full product takeover of Oracle Flow Manufacturing (versions 12.2.9 through 12.2.15) is achievable by a low-privileged remote attacker via SQL-based network access, per Oracle's advisory. The flaw scores CVSS 8.8 with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. As a component of Oracle E-Business Suite, exploitation provides an attacker with control over a business-critical manufacturing execution system.

Oracle Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Payroll (Self Service Manager component) of Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the Payroll module over HTTP. The CVSS 3.1 base score of 8.8 reflects high impacts to confidentiality, integrity, and availability, and Oracle has issued a fix in the May 2026 Critical Patch Update. No public exploit identified at time of analysis.

Oracle Privilege Escalation
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows low-privileged remote attackers over HTTP to fully compromise the product with confidentiality, integrity, and availability impact. The CVSS 9.9 score reflects a scope-changing flaw whose blast radius extends to other Oracle E-Business Suite products beyond Universal Work Queue itself. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority Oracle Critical Patch Update item.

Oracle Privilege Escalation
NVD VulDB
EPSS 0% 5.0 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory.

Oracle Privilege Escalation Oracle Payments
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Sandbox escape in nono-cli allows a sandboxed process to fully break out of Landlock/seccomp confinement by communicating over the unmediated per-user systemd D-Bus Unix domain socket. Versions prior to 0.55.0 of the Rust CLI crate are affected, specifically when using bundled profiles such as 'claude-code' that permit bash execution. An attacker - or a prompt-injected AI coding agent - can invoke systemd-run --user from within the sandbox to spawn an unsandboxed sibling process capable of writing anywhere the launching user can write, executing arbitrary commands, and establishing network connections. A working proof-of-concept reproducer is publicly available in the GitHub Security Advisory GHSA-27vp-2mmc-vmh3; no CISA KEV listing exists at time of analysis.

Privilege Escalation Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Privilege escalation in Elastic Kibana's Fleet agent policy management feature allows authenticated Fleet administrators to inject unvalidated values into a configuration override mechanism, causing Elastic Agents to be provisioned with API keys carrying elevated Elasticsearch privileges. Successful exploitation yields unauthorized read/write access to sensitive Elasticsearch security indices beyond the Fleet role's intended scope. No public exploit identified at time of analysis, and CISA KEV does not list this issue.

Privilege Escalation Elastic
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in Portainer Community Edition stems from permissive default endpoint security settings that grant non-admin users with endpoint access the ability to create containers with bind mounts, privileged mode, host namespaces, device mappings, sysctl settings, and Linux capabilities. An authenticated low-privilege user can leverage these defaults to read arbitrary host files or break out of the container boundary to achieve root-equivalent code execution on the Docker host. Publicly available exploit code exists per CVSS v4.0 threat metrics (E:P), but the issue is not listed in CISA KEV.

Privilege Escalation RCE Portainer Community Edition +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.

Privilege Escalation Information Disclosure Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to escalate privileges across organizational boundaries by exploiting incomplete JWT validation in the GetTokenExchangeToken function. While the signature is verified, the absence of an organization-scope check lets a valid token issued for one tenant be exchanged for tokens against applications belonging to a different tenant, breaking the multi-tenant trust model. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite a CVSS of 9.8.

Privilege Escalation Microsoft Casdoor
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Privilege escalation in Mennekes Amtron EV charging stations (firmware ≤ 5.22.3) allows a low-privileged authenticated user to overwrite credentials for the admin (operator) and manufacturer accounts through crafted POST requests, effectively granting full takeover of the charger's management interface. Publicly available exploit code exists per the CyberDanube research advisory, and the CVSS 4.0 base score of 9.3 reflects high impact across confidentiality, integrity, and availability with cascading effects on subsequent systems. Not currently listed in CISA KEV.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain root execution by replacing co-located auxiliary binaries that the multipassd LaunchDaemon invokes via a user-writable PATH directory. The flaw is an incomplete remediation of CVE-2025-5199: while 1.16.0 corrected ownership of the multipassd binary itself, five sibling binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, sshfs_server) were left owned by the installing user and writable, enabling binary planting. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Privilege Escalation Apple Canonical
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Privilege escalation in phpMyFAQ before 4.1.3 allows any authenticated low-privilege administrator to take over SuperAdmin (userId=1) or any other account by manipulating the userId parameter in the /admin/api/user/overwrite-password PUT request. The flaw is an insecure direct object reference (IDOR) in the Admin API where authorization checks confirm only that the caller holds the generic USER_EDIT permission, never that the caller is authorized to manage the targeted account. No public exploit identified at time of analysis, but the GHSA advisory from the vendor (thorsten) publicly documents the exact vulnerable code path, making weaponization trivial.

Privilege Escalation Phpmyfaq
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows remote attackers to create administrator accounts by submitting a crafted form payload. The flaw stems from the plugin trusting an attacker-supplied form definition passed via $_POST['_acf_form'] as an array, which bypasses the legitimate server-side form lookup and allows the role field's allowed values to be spoofed. No public exploit identified at time of analysis, but the vulnerability is reported by Wordfence and is straightforwardly weaponizable given the documented logic flaw.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Privilege escalation in Red Hat Build of Keycloak allows an authenticated administrator holding the manage-clients role to exploit a Time-of-check to time-of-use (TOCTOU) race condition in name-based admin role checks, elevating their privileges to realm-admin for all users within the realm. The resulting composite role relationship is persistent - it survives both manual revocation of the attacker's original permissions and system reboots, making remediation non-trivial post-exploitation. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Privilege Escalation Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege escalation in Veeam Agent for Microsoft Windows enables a low-privileged authenticated user to escalate to higher privileges on the host, with the CWE-532 mapping indicating sensitive information is exposed via log files that the attacker can read or abuse. CVSS 4.0 base score is 7.3 with high impact to confidentiality, integrity, and availability of the vulnerable component, and no public exploit identified at time of analysis. The flaw is tied to the broader Veeam Backup and Replication 13 ecosystem (≤13.0.1 per ENISA EUVD), making it relevant on any Windows endpoint where the Veeam Agent is deployed alongside or as part of that platform.

Privilege Escalation Microsoft
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows an administrator with only limited client-management rights to attach arbitrary realm roles - including highly privileged ones - to a client's scope mappings, causing those roles to be injected into user authentication tokens that traverse the modified client. The flaw affects the Red Hat Build of Keycloak per the vendor advisory and has no public exploit identified at time of analysis, but the high-privilege admin pivot makes it operationally significant in multi-tenant identity deployments.

Privilege Escalation Red Hat Build Of Keycloak
NVD VulDB GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Acer NitroSense software versions prior to 3.01.3052 allows any authenticated local user to delete arbitrary files with SYSTEM authority by abusing a weakly-ACL'd Named Pipe exposed by the PSAdminAgent service. No public exploit has been identified at time of analysis, but the issue was disclosed by Acer themselves and a patched version is available.

Privilege Escalation Path Traversal Nitrorsense V3
NVD VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Privilege escalation in Budibase before 3.39.0 lets a workspace-scoped builder promote themselves or any other user to global administrator with a single POST to /api/public/v1/roles/assign. The builderOrAdmin middleware admits app-level builders (builder.apps set, builder.global unset) and the controller blindly spreads the request body into the SDK, allowing the caller to set builder.global=true or admin.global=true on arbitrary user IDs. The flaw turns a tenant-confined Enterprise feature into full tenant-wide takeover; no public exploit is identified at time of analysis, but the technique is fully described in the GitHub advisory.

Privilege Escalation
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.

Google Information Disclosure Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Job Import Plugin version 143.v044a_2e819b_27 and earlier exposes credentials ID enumeration to any authenticated user holding the minimal Overall/Read permission due to a missing permission check on an HTTP endpoint. Any low-privileged Jenkins user can query this endpoint and retrieve the IDs of all credentials stored in the Jenkins credentials store, enabling reconnaissance for follow-on credential-targeting attacks. No public exploit has been identified at time of analysis, CISA has not listed this in KEV, and SSVC rates exploitation status as none with partial technical impact.

Privilege Escalation Jenkins
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Missing permission check in Jenkins AppSpider Plugin 1.0.17 and earlier allows any authenticated user with Overall/Read permission to force the Jenkins server to initiate connections to arbitrary attacker-specified URLs via a form validation endpoint. This constitutes a server-side request forgery (SSRF)-class primitive - an attacker can leverage this to probe internal network services, perform port scanning, or interact with internal infrastructure reachable by the Jenkins host. No public exploit has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.

Privilege Escalation Jenkins
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of a client's service account by submitting an oversized subject_token JWT to the TokenEndpoint. When the token exceeds the 4000-character limit it is silently discarded rather than rejected, causing the server to fall back to client-credentials authentication and grant the attacker the client's service-account scope. No public exploit identified at time of analysis and EPSS is very low (0.04%), but CVSS rates the issue 8.8 due to full CIA impact post-exploitation.

Privilege Escalation Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in IBM Netezza Performance Server Replication Services (versions 3.0.2.0 through 3.0.5.0) allows an already-authenticated, low-privileged user on the appliance to gain full root control. By abusing the over-privileged Replication Services component the attacker can execute root-level commands, spawn a root shell, reset the root password, alter or delete system-wide files, and plant persistent backdoors, resulting in complete loss of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and no EPSS score was supplied in the source data, so the issue currently reflects vendor-reported risk rather than observed exploitation.

Privilege Escalation IBM
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the WebinarIgnition WordPress plugin (Saleswonder Team: Tobias) affects all versions through 4.08.252 and allows remote attackers to obtain elevated privileges due to incorrect privilege assignment. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed exploitation activity despite the critical severity.

Privilege Escalation
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in the miniOrange OTP Verification WordPress plugin (all versions up to and including 5.4.9) lets remote unauthenticated attackers gain elevated privileges due to incorrect privilege assignment (CWE-266). With a CVSS 9.8 vector indicating network reach, no authentication, and no user interaction, a successful attack can fully compromise the confidentiality, integrity, and availability of the affected WordPress site. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Local privilege escalation in Phoenix Contact PLCnext controllers (AXC F 1152/1252/2152/3152, AXC F 2000 EA, RFC 4072R/4072S, EPC 1522, BPC 9102S, VL3 UPC 2440 EDGE) and the virtual PLCnext Control 500/1000/2000/3000 product lines before firmware 2026.0.3 allows a low-privileged local user to plant or modify configuration and application files in user-writable filesystem locations that a privileged service later consumes, gaining elevated privileges. The flaw (CWE-427) is rated CVSS 4.0 8.7 (High) but carries a very low EPSS of 0.03% (9th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Firebase Support & Chat Management WordPress plugin (all versions up to and including 3.1.1) lets any authenticated Subscriber-level user take over any other account, including Administrator. The plugin's acb_firebase_auth AJAX handler logs the request in as whatever WordPress account matches the attacker-supplied user_email parameter, never verifying the accompanying Firebase ID token. No public exploit was identified at time of analysis and the EPSS probability is very low (0.04%, 13th percentile), but the bug is trivially exploitable wherever the plugin is active and a low-privilege account can be obtained.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Path traversal in the tmp npm package (versions < 0.2.6) lets callers escape the intended temporary directory by passing traversal sequences or absolute paths in the prefix, postfix, or dir options to tmp.file(), tmp.dir(), or tmp.tmpName(). Applications that forward untrusted input into those options can be coerced into creating files at attacker-chosen filesystem locations with the process's privileges, enabling config poisoning, cache poisoning, or web-shell drops. Publicly available exploit code exists (the advisory ships a working PoC and a regression test), but no public exploit identified at time of analysis indicates active exploitation in the wild.

Path Traversal PHP Microsoft +4
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW Monitor

Incorrect access control in Northern.tech Mender Enterprise Server before 4.1.1 allows remote unauthenticated attackers to gain limited confidential data exposure under high-complexity conditions. Classified under CWE-269 (Improper Privilege Management) and tagged as a Privilege Escalation vector, the flaw introduces an unauthorized access path to restricted resources, though impact is constrained to low confidentiality loss with no integrity or availability consequence. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects a minimal probability of imminent widespread exploitation.

Privilege Escalation
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation and sensitive-data disclosure in Kirby CMS (versions before 4.9.1 and 5.4.1) let authenticated Panel users invoke arbitrary model methods through unvalidated collection-query parameters. By naming internal methods such as password(), root(), loginPasswordless() or delete() in filter/sort/findBy queries or the equivalent REST API search endpoints, a low-privilege Panel user can leak password hashes and server filesystem paths, take over other accounts, or mass-delete content. No public exploit identified at time of analysis and EPSS is low (0.07%), but the vendor rates real-world impact as high for any site exposing the Panel to untrusted users.

RCE Information Disclosure Privilege Escalation
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

LDAP injection in Yamcs LdapAuthModule (yamcs-core < 5.12.7) enables horizontal privilege escalation for authenticated low-privilege users. By submitting a wildcard character as the username alongside a single known valid LDAP password, an attacker causes the unescaped LDAP search filter to match the first user returned by the directory query, effectively authenticating as that account. A proof-of-concept exploit is publicly available in the GitHub advisory; no CISA KEV listing exists, but the low attack complexity and published PoC make this a credible threat for any Yamcs deployment using LDAP authentication.

Java LDAP Privilege Escalation +1
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root by exploiting a logic flaw (improper privilege management) that was resolved with additional validation checks. The flaw affects macOS Sonoma before 14.8, macOS Sequoia before 15.7, and macOS Tahoe before 26, and was reported by Apple itself. There is no public exploit identified at time of analysis and no EPSS or KEV signal was provided, indicating no confirmed active exploitation.

Apple Privilege Escalation
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Local privilege escalation in OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows unprivileged local users to execute arbitrary OS commands as root by abusing an exposed local IPC channel to the privileged background service. The flaw carries a CVSS 4.0 score of 9.4 with scope change (SC:H/SI:H/SA:H), and SSVC rates technical impact as total, though there is no public exploit identified at time of analysis and EPSS is only 0.04%.

Apple Privilege Escalation Command Injection +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Privilege escalation in Joomla! CMS via the com_users batch task allows low-privileged authenticated users to bypass access controls and elevate their user group membership or permissions. Affected versions span two major release lines: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0, as confirmed by ENISA EUVD-2026-31880 and the Joomla Security Centre. No public exploit has been identified and EPSS is effectively zero; however, SSVC assesses the technical impact as total, meaning successful exploitation could yield full privilege takeover within the application.

Authentication Bypass Privilege Escalation Joomla Cms
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.

Authentication Bypass Privilege Escalation Joomla Cms
NVD VulDB
Prev Page 6 of 148 Next

Quick Facts

Typical Severity
HIGH
Category
auth
Total CVEs
13299

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy