Privilege Escalation

NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. [CVSS 7.3 HIGH]

Applinx versions up to 11.1.0 is affected by improper verification of cryptographic signature (CVSS 7.3).

The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. [CVSS 8.8 HIGH]

Advanced Custom Fields: Extended plugin for WordPress has a privilege escalation vulnerability allowing unauthenticated users to gain admin access in all versions up to the latest.

The RegistrationMagic WordPress plugin up to version 6.0 allows unauthenticated privilege escalation, enabling attackers to create admin accounts and take over WordPress sites.

Modular DS modular-connector has a CVSS 10.0 privilege escalation vulnerability through incorrect privilege assignment, allowing unauthenticated attackers to gain full administrative access to WordPress sites.

In cpm_fwtp_msg_handler of cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server. [CVSS 8.8 HIGH]

The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Designer User) to embed OLE objects into graphics, and escalate their privileges to the identity of a victim user who subsequently interacts with the graphical elements. [CVSS 7.4 HIGH]

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. [CVSS 5.4 MEDIUM]

Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication. [CVSS 8.4 HIGH]

Stored XSS in Altium Workflow Engine allows authenticated users to inject malicious scripts into workflow forms that execute with administrator privileges when viewed. An attacker can exploit this to escalate privileges, create new admin accounts, steal session tokens, and perform arbitrary administrative actions. No patch is currently available for the on-premises enterprise server deployment.

A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. [CVSS 7.3 HIGH]

A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. [CVSS 8.8 HIGH]

its Sudo configuration contains a vulnerability that allows attackers to gain root access (CVSS 6.2).

10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. [CVSS 7.8 HIGH]

MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts. [CVSS 7.8 HIGH]

Rocket.Chat versions prior to 6.12.0 expose the OAuth applications API endpoint to any authenticated user, allowing disclosure of sensitive credentials including client IDs and secrets regardless of user role or permissions. An attacker with valid credentials can enumerate OAuth applications and extract their secrets by knowing application IDs, potentially compromising integrated third-party applications. Public exploit code exists for this vulnerability and no patch is currently available.

NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service. [CVSS 7.8 HIGH]

BLUVOYIX admin APIs allow unauthenticated creation of admin users, enabling complete platform takeover.

Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session.

Modular DS WordPress plugin (through 2.5.1) has incorrect privilege assignment allowing unauthenticated privilege escalation. Maximum CVSS 10.0 with scope change, EPSS 6.8%.

Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 5.7).

Teamspeak versions up to 3.5.6 is affected by incorrect permission assignment for critical resource (CVSS 7.8).

Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. [CVSS 6.2 MEDIUM]

WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie values to gain admin privileges. PoC available.

CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. [CVSS 8.4 HIGH]

A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. [CVSS 7.8 HIGH]

In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). [CVSS 7.8 HIGH]

A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. [CVSS 8.8 HIGH]

A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. [CVSS 8.8 HIGH]

SAP Fiori App Intercompany Balance Reconciliation fails to enforce proper authorization controls, allowing authenticated users to escalate privileges and access or modify sensitive data they should not have permission to view. An attacker with valid credentials can exploit missing access checks to compromise the confidentiality and integrity of financial reconciliation data. No patch is currently available for this vulnerability.

Hana Database versions up to 2.00 is affected by missing authentication for critical function (CVSS 8.8).

ServiceNow AI Platform has a user impersonation vulnerability allowing unauthenticated attackers to impersonate any user and perform their authorized actions. ServiceNow has deployed patches to hosted instances and self-hosted updates are available.

Automai Director v25.2.0 allows authenticated users to escalate to full administrative privileges with scope change (CVSS 9.9). Low-privileged users can take complete control of the automation platform.

Kace Desktop Authority versions up to 11.3.1 is affected by incorrect default permissions (CVSS 5.3).

Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. [CVSS 8.8 HIGH]

OpenProject versions prior to 16.6.2 fail to implement rate-limiting on the unauthenticated password-change endpoint, allowing attackers to conduct brute-force attacks against known user accounts without triggering lockout mechanisms. An attacker can systematically guess passwords using common wordlists and achieve full account compromise, potentially escalating privileges depending on the victim's role within the application. A patch is available in version 16.6.2.

An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format [CVSS 5.3 MEDIUM]

An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request [CVSS 6.5 MEDIUM]

Frontend Admin by DynamiApps WordPress plugin (through 3.28.25) allows unauthenticated privilege escalation to administrator via insufficient role validation. Attackers can register as admins and take full control of the site.

Mf258K Pro Firmware versions up to zte_mf258kpro_play_v1.0.0b03 is affected by improper privilege management (CVSS 4.3).

Panda Wireless PWRU0 devices (firmware 2.2.9) expose WAN, LAN, and wireless configuration endpoints without authentication. Remote attackers can modify all network settings. PoC available.

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted credentials by exploiting a flawed deny_only check in the IAM system. PoC available, patch available.

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.

Arbitrary code execution in PIONEER CORPORATION product installers through DLL search path manipulation allows local attackers with user interaction to execute malicious code with installer privileges. The vulnerability affects multiple products and requires user interaction to trigger, potentially compromising system integrity during software installation. No patch is currently available.

NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. [CVSS 9.8 CRITICAL]

The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions

A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. [CVSS 6.1 MEDIUM]

Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 8.8 HIGH]

Optional Email plugin for WordPress (through 1.3.11) has a privilege escalation via a filter that leaks predictable password reset keys. The 'random_password' filter affects not just registration but also password reset key generation, making reset tokens guessable.

Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. [CVSS 8.8 HIGH]

H3C wireless controllers (M102G) and access points (BA1500L) have a vsftpd misconfiguration that grants root ownership to anonymously uploaded FTP files. Attackers can upload malicious files that execute with root privileges, gaining full device control.

AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.

TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. [CVSS 8.8 HIGH]

Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application, version(s) versions 5.26 to 5.30, contain(s) an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. [CVSS 6.4 MEDIUM]

FS Registration Password plugin for WordPress (through 1.0.1) allows unauthenticated password resets for any user. Same vulnerability class as CVE-2025-14996 (AS Password Field) – missing identity verification before password change.

AS Password Field plugin for WordPress (through 2.0.0) allows unauthenticated password resets for any user without identity verification. Like CVE-2025-14998 (Branda), this enables immediate administrator account takeover.

An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]

In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In seninf, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]

In mminfra, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

In c2ps, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 7.8).

In KeyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

Download Manager (WordPress plugin) versions up to 3.3.40. contains a security vulnerability (CVSS 7.3).

A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. [CVSS 7.5 HIGH]

The Branda WordPress plugin (through 3.4.24) allows unauthenticated attackers to reset any user's password without identity verification, enabling account takeover including administrator accounts. Full site compromise is one password reset away.

Linux kernel Landlock security module fails to properly enforce access controls on disconnected directories (files or directories visible through bind mounts but inaccessible from the mount point after rename/move operations), potentially widening access rights and causing inconsistent access results when sandboxed tasks interact with such paths. The vulnerability affects the Landlock mandatory access control framework's ability to prevent privilege escalation through filesystem operations on out-of-scope paths, requiring the sandboxed task to already possess write access to the bind mount source and read access to the mount point to trigger the issue.

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.

Local privilege escalation in Apple operating systems (iOS, iPadOS, macOS Tahoe, visionOS, watchOS) allows authenticated applications to bypass payment token access restrictions and obtain sensitive payment credentials. The vulnerability affects all versions prior to the 26.2 release across affected platforms. CVSS 5.5 with low real-world exploitation risk (EPSS 0.01%), no public exploit identified, not listed in CISA KEV.

Linux kernel binfmt_misc module fails to restore write access to executable files when error handling closes improperly opened file descriptors, potentially causing subsequent write operations on the same file to fail and creating a denial-of-service condition for legitimate file modifications. The vulnerability affects the bm_register_write() function which uses open_exec() to open executable files with intentionally denied write permissions, but does not call exe_file_allow_write_access() before closing the file on error paths. With an EPSS score of 0.03% (8th percentile), this represents a low exploitation probability; no public exploit has been identified at time of analysis.

Broken access control in ThemeFusion Avada WordPress theme through version 7.13.2 allows authenticated attackers with low privileges to access functionality improperly constrained by access control lists, potentially achieving full site compromise. With CVSS 8.8 (High) due to network-based access requiring only low-privilege authentication, attackers can achieve high confidentiality, integrity, and availability impact. EPSS probability remains low at 0.06% (18th percentile), and no public exploit identified at time of analysis, suggesting limited immediate exploitation risk despite the critical CVSS rating.