CVE Daily
← All tags

Tag: Privilege Escalation

All CVEs associated with "Privilege Escalation". Page 11/66 • 7822 CVEs.

Subscribe CVEs: RSS for “Privilege Escalation”  ·  RSS (High+Critical only)

About “Privilege Escalation”

A curated feed of “Privilege Escalation”-related CVEs appears below. We currently track 7822 CVEs for this tag (all time). In the last 365 days, 1227 were published. Average CVSS is 7.7 (all time; 7.9 over 365d), and 84% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-269 - Improper Privilege Management, CWE-266 - Incorrect Privilege Assignment, CWE-862 - Missing Authorization.

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-06-09
High

CVE-2025-47561

Incorrect Privilege Assignment vulnerability in RomanCode MapSVG mapsvg allows Privilege Escalation.This issue affects MapSVG: from n/a through < 8.6.13.

CVSS: 8.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2025-23974

Incorrect Privilege Assignment vulnerability in ifkooo One-Login one-login allows Privilege Escalation.This issue affects One-Login: from n/a through <= 1.4.

CVSS: 8.1 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2025-49006

Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementat…

CVSS: 8.2 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2025-06-08
High

CVE-2025-35010

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MNPINGTM command that can lead to privilege escalation.…

CVSS: 7.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2025-35009

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MNNETSP command that can lead to privilege escalation.…

CVSS: 7.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2025-35008

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MMNAME command that can lead to privilege escalation. T…

CVSS: 7.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2025-35007

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFRULE command that can lead to privilege escalation. T…

CVSS: 7.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2025-35006

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFPORTFWD command that can lead to privilege escalation…

CVSS: 7.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2025-35005

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFMAC command that can lead to privilege escalation. Th…

CVSS: 7.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2025-35004

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFIP command that can lead to privilege escalation. Thi…

CVSS: 7.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
2025-06-07
High

CVE-2025-47601

Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through <= 2.1.0.

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
2025-06-06
High

CVE-2025-5480

Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Action1. An attacker…

CVSS: 7.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
High

CVE-2025-5474

2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of 2BrightSparks SyncBac…

CVSS: 7.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2025-5791

A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the err…

CVSS: 7.1 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2025-30981

Cross-Site Request Forgery (CSRF) vulnerability in tggfref WP-Recall allows Privilege Escalation. This issue affects WP-Recall: from n/a through 16.26.14.

CVSS: 6.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2025-5486

The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. This makes it possi…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2025-06-05
Medium

CVE-2025-49012

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID g…

CVSS: 5.4 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2025-5701

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
2025-06-04
High

CVE-2025-46341

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the `Remote-User` header…

CVSS: 7.1 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2025-23106

An issue was discovered in Samsung Mobile Processor Exynos 2200, 1480, and 2400. A Use-After-Free in the mobile processor leads to privilege escalation.

CVSS: 6.5 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2025-23101

An issue was discovered in Samsung Mobile Processor Exynos 1380. A Use-After-Free in the mobile processor leads to privilege escalation.

CVSS: 6.5 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2025-23096

An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. A Double Free in the mobile processor leads to privilege escalation.

CVSS: 6.5 CWE: CWE-415 - Double Free View on NVD
Medium

CVE-2025-23095

An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. A Double Free in the mobile processor leads to privilege escalation.

CVSS: 6.5 CWE: CWE-415 - Double Free View on NVD
High

CVE-2025-48961

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39938.

CVSS: 7.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2025-27811

A local privilege escalation in the razer_elevation_service.exe in Razer Synapse 4 through 4.0.86.2502180127 allows a local attacker to escalate their privileges via a vulnerable COM interface in the…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2025-48959

Local privilege escalation due to insecure file permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 40077.

CVSS: 6.7 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2025-5482

The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. Th…

CVSS: 8.8 CWE: CWE-620 - Unverified Password Change View on NVD
2025-06-03
High

CVE-2025-23098

An issue was discovered in Samsung Mobile Processor Exynos 980, 990, 1080, 2100, 1280, 2200, 1380. A Use-After-Free in the mobile processor leads to privilege escalation.

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-23102

An issue was discovered in Samsung Mobile Processor Exynos 980, 990, 1080, 2100, 1280, 2200, 1380, 1480 and 2400. A Double Free in the mobile processor leads to privilege escalation.

CVSS: 8.8 CWE: CWE-415 - Double Free View on NVD
High

CVE-2025-36564

Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege…

CVSS: 7.8 CWE: CWE-61 - UNIX Symbolic Link (Symlink) Following View on NVD
High

CVE-2025-31359

A directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-54189

A privilege escalation vulnerability exists in the Snapshot functionality of Parallels Desktop for Mac version 20.1.1 (build 55740). When a snapshot of a virtual machine is taken, a root service writ…

CVSS: 7.8 CWE: CWE-62 - UNIX Hard Link View on NVD
High

CVE-2024-52561

A privilege escalation vulnerability exists in the Snapshot functionality of Parallels Desktop for Mac version 20.1.1 (build 55740). When a snapshot of a virtual machine is deleted, a root service ve…

CVSS: 7.8 CWE: CWE-708 - Incorrect Ownership Assignment View on NVD
High

CVE-2024-36486

A privilege escalation vulnerability exists in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740). When an archived virtual machine is restored,…

CVSS: 7.8 CWE: CWE-62 - UNIX Hard Link View on NVD
Critical

CVE-2025-4797

The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-06-02
High

CVE-2025-23105

An issue was discovered in Samsung Mobile Processor Exynos 2200, 1480, and 2400. A Use-After-Free in the mobile processor leads to privilege escalation.

CVSS: 7.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2025-23104

An issue was discovered in Samsung Mobile Processor Exynos 2200. A Use-After-Free in the mobile processor leads to privilege escalation.

CVSS: 6.5 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-26396

The SolarWinds Dameware Mini Remote Control was determined to be affected by Incorrect Permissions Local Privilege Escalation Vulnerability. This vulnerability requires local access and a valid low p…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2025-0358

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed a privilege escalation, enabling a lowe…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Critical

CVE-2025-0324

The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.

CVSS: 9.4 CWE: CWE-791 - Incomplete Filtering of Special Elements View on NVD
High

CVE-2024-11857

Bluetooth HCI Adaptor from Realtek has a Link Following vulnerability. Local attackers with regular privileges can create a symbolic link with the same name as a specific file, causing the product to…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2025-05-31
High

CVE-2025-4672

The Offsprout Page Builder plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization placed on the permission_callback() function in versions 2.2.1 to 2.15.2. This make…

CVSS: 8.8 CWE: CWE-285 - Improper Authorization View on NVD
Critical

CVE-2025-4631

The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. This makes it possible to t…

CVSS: 9.8 CWE: CWE-285 - Improper Authorization View on NVD
Critical

CVE-2025-4607

The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to t…

CVSS: 9.8 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
High

CVE-2025-4103

The WP-GeoMeta plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wp_ajax_wpgm_start_geojson_import() function in versions 0.3.4 to 0.3.5. This makes…

CVSS: 8.8 CWE: CWE-285 - Improper Authorization View on NVD
2025-05-30
Medium

CVE-2024-7096

A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when…

CVSS: 4.2 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2025-4433

Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to p…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2025-05-28
Medium

CVE-2025-27703

CVE-2025-27703 is a privilege escalation vulnerability in the management console of Absolute Secure Access prior to version 13.54. Attackers with administrative access to a specific subset of privi…

CVSS: 6.0 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
2025-05-27
High

CVE-2025-5117

The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the property_package_user_role metadata in versions 1.0.5 to 1.0.6. This makes…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
2025-05-26
High

CVE-2025-40672

A Privilege Escalation vulnerability has been found in Panloader component v3.24.0.0 by Espiral MS Group. This vulnerability allows any user to override the file panLoad.exe that will be executed by…

CVSS: 8.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2025-05-23
High

CVE-2025-24917

In Tenable Network Monitor versions prior to 6.5.1 on a Windows host, it was found that a non-administrative user could stage files in a local directory to run arbitrary code with SYSTEM privileges,…

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-24916

When installing Tenable Network Monitor to a non-default location on a Windows host, Tenable Network Monitor versions prior to 6.5.1 did not enforce secure permissions for sub-directories. This could…

CVSS: 7.0 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-47690

Missing Authorization vulnerability in Smackcoders Inc., Lead Form Data Collection to CRM wp-leads-builder-any-crm allows Privilege Escalation.This issue affects Lead Form Data Collection to CRM: fro…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2025-47631

Incorrect Privilege Assignment vulnerability in mojoomla Hospital Management System allows Privilege Escalation. This issue affects Hospital Management System: from 47.0(20 through 11.

CVSS: 8.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Critical

CVE-2025-47539

Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.

CVSS: 9.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Critical

CVE-2025-39489

Incorrect Privilege Assignment vulnerability in pebas CouponXL couponxl allows Privilege Escalation.This issue affects CouponXL: from n/a through <= 4.5.0.

CVSS: 9.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Critical

CVE-2025-31918

Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This issue affects Simple Business Directory Pro:…

CVSS: 9.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2025-48695

An issue was discovered in CyberDAVA before 1.1.20. A privilege escalation vulnerability allows a low-privileged user to escalate their privilege by abusing the following API due to the lack of acces…

CVSS: 6.4 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2025-4692

Actors can use a maliciously crafted JavaScript object notation (JSON) web token (JWT) to perform privilege escalation by submitting the malicious JWT to a vulnerable method exposed on the cloud plat…

CVSS: 6.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2025-05-22
High

CVE-2025-2272

Uncontrolled Search Path Element vulnerability in Forcepoint FIE Endpoint allows Privilege Escalation, Code Injection, Hijacking a privileged process.This issue affects FIE Endpoint: before 25.05.

CVSS: 7.0 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
High

CVE-2025-2759

GStreamer Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of GStreamer. An attacke…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2025-05-21
Medium

CVE-2025-2102

Improper Link Resolution Before File Access ('Link Following') vulnerability in HYPR Passwordless on Windows allows Privilege Escalation.This issue affects HYPR Passwordless: before 10.1.

CVSS: 5.7 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
Medium

CVE-2025-20114

A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system. This vulner…

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2025-20112

A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an authenticated, local attacker to elevate privileges to root on an affected device. Thi…

CVSS: 5.1 CWE: CWE-268 - Privilege Chaining View on NVD
Medium

CVE-2025-0372

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in HYPR Passwordless on Windows allows Privilege Escalation.This issue affects HYPR Passwordl…

CVSS: 5.9 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2025-05-20
High

CVE-2025-22157

This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions: 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core Data Center and Server 5.12.0, 10.3.0, 10.4.0, and 10.5.0…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
Critical

CVE-2025-4322

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's ident…

CVSS: 9.8 CWE: CWE-620 - Unverified Password Change View on NVD
2025-05-19
Critical

CVE-2025-48340

Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <=…

CVSS: 9.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2025-39459

Incorrect Privilege Assignment vulnerability in contempoinc Real Estate 7 realestate-7 allows Privilege Escalation.This issue affects Real Estate 7: from n/a through <= 3.5.2.

CVSS: 7.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2025-39405

Incorrect Privilege Assignment vulnerability in mojoomla WPAMS apartment-management allows Privilege Escalation.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023).

CVSS: 8.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2025-4477

The ThreatSonar Anti-Ransomware from TeamT5 has a Privilege Escalation vulnerability, allowing remote attackers with intermediate privileges to escalate their privileges to highest administrator leve…

CVSS: 7.2 CWE: CWE-862 - Missing Authorization View on NVD
2025-05-17
High

CVE-2025-33103

IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. A malicious actor with command line access to the host operating syste…

CVSS: 8.5 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
2025-05-16
High

CVE-2025-32310

Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal - Appointment Booking Calendar for WordPress quickcal allows Privilege Escalation.This issue affects QuickCal - Appointment Booki…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2025-4211

Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows which potentially allows Symlink Attacks and the use of Malicious…

CVSS: 7.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2025-47809

Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or reboot). For exploitation, there must have been an unprivileged installation with…

CVSS: 8.2 CWE: CWE-272 - Least Privilege Violation View on NVD
2025-05-15
High

CVE-2025-30475

Dell PowerScale InsightIQ, versions 5.0 through 5.2, contains an improper privilege management vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerabili…

CVSS: 8.1 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-05-14
Medium

CVE-2025-46836

net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (l…

CVSS: 6.6 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-3931

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method…

CVSS: 7.8 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
2025-05-13
High

CVE-2023-31359

Incorrect default permissions in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

CVSS: 7.3 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2023-31358

A DLL hijacking vulnerability in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

CVSS: 7.3 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2024-36339

A DLL hijacking vulnerability in the AMD Optimizing CPU Libraries could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

CVSS: 7.3 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2024-21960

Incorrect default permissions in the AMD Optimizing CPU Libraries (AOCL) installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code executi…

CVSS: 7.3 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2025-4649

Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation. ACL are not correctly taken into account in the display of the "event logs" page. This page r…

CVSS: 4.9 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
High

CVE-2025-32917

Privilege escalation in jar_signature agent plugin in Checkmk versions <2.4.0b7 (beta), <2.3.0p32, <2.2.0p42, and 2.1.0p49 (EOL) allow user with write access to JAVA_HOME/bin directory to escalate pr…

CVSS: 8.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
High

CVE-2025-4646

Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.

CVSS: 7.2 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2025-4474

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This ma…

CVSS: 8.8 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2025-4473

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_request() function in versions 1.0 to 2.2.7. This makes it possible for…

CVSS: 8.8 CWE: CWE-285 - Improper Authorization View on NVD
2025-05-12
High

CVE-2025-30453

The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. A malicious app may be able to gain root privileges.

CVSS: 7.8 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
High

CVE-2025-24274

An input validation issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. A malicious app may be able to gain root…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-24258

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. An app may be able to gain root privileges.

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-05-10
High

CVE-2025-3876

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in a…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
2025-05-09
High

CVE-2024-9524

Link Following Local Privilege Escalation Vulnerability in System Speedup Service in Avira Operations GmbH Avira Prime Version 1.1.96.2 on Windows 10 x64 allows local attackers to escalate privileges…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2024-13962

Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Gen Digital Inc. Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privil…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2024-13961

Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2024-13960

Link Following Local Privilege Escalation Vulnerability in TuneUp Service in AVG TuneUp Version 23.4 (build 15592) on Windows 10 allows local attackers to escalate privileges and execute arbitrary co…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2024-13959

Link Following Local Privilege Escalation Vulnerability in TuneupSvc.exe in AVG TuneUp 24.2.16593.9844 on Windows allows local attackers to escalate privileges and execute arbitrary code in the conte…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2024-13944

Link Following Local Privilege Escalation Vulnerability in NortonUtilitiesSvc in Norton Utilities Ultimate Version 24.2.16862.6344 on Windows 10 Pro x64 allows local attackers to escalate privileges…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2024-13759

Local Privilege Escalation in Avira.Spotlight.Service.exe in Avira Prime 1.1.96.2 on Windows 10 x64  allows local attackers to gain system-level privileges via arbitrary file deletion

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
Critical

CVE-2025-3605

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.1. This is due to the plugin not p…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2025-2253

The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification cod…

CVSS: 9.8 CWE: CWE-620 - Unverified Password Change View on NVD
Critical

CVE-2025-3811

The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's id…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2025-3810

The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's id…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2025-05-07
High

CVE-2025-3925

BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 contain an execution with unnecessary privileges vulnerability, allowing for privilege escalation…

CVSS: 7.8 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
Critical

CVE-2025-3476

Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager:…

CVSS: 9.4 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2025-26169

IXON VPN Client before 1.4.4 on Windows allows Local Privilege Escalation to SYSTEM because there is code execution from a configuration file that can be controlled by a low-privileged user. There is…

CVSS: 8.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2025-26168

IXON VPN Client before 1.4.4 on Linux and macOS allows Local Privilege Escalation to root because there is code execution from a configuration file that can be controlled by a low-privileged user. Th…

CVSS: 8.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2025-20122

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an authenticated, local attacker to gain privileges of the root user on the underlying operatin…

CVSS: 7.8 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
High

CVE-2025-47462

Cross-Site Request Forgery (CSRF) vulnerability in WebAppick Challan webappick-pdf-invoice-for-woocommerce allows Privilege Escalation.This issue affects Challan: from n/a through <= 3.7.58.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2025-4104

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_wp_ajax_fed_login_form_post() function in versions 1.0 to 2.2.6. This ma…

CVSS: 9.8 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2025-4335

The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2025-3852

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identi…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-05-06
High

CVE-2025-47420

266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

CVSS: 8.7 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2025-22477

Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit…

CVSS: 8.3 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2025-3610

The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a use…

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2025-3609

The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verif…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-05-05
High

CVE-2025-28062

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password r…

CVSS: 8.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2025-05-03
Critical

CVE-2025-3918

The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The plugin’s registration han…

CVSS: 9.8 CWE: CWE-285 - Improper Authorization View on NVD
2025-05-02
Medium

CVE-2025-3438

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack o…

CVSS: 6.5 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2025-4179

The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This…

CVSS: 7.3 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2025-3746

The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's i…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD