Total
2384 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-22239 | 1 Juniper | 1 Junos Os Evolved | 2025-05-10 | 8.2 High |
| An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved allows a locally authenticated attacker with low privileges to escalate their privileges on the device and potentially remote systems. This vulnerability allows a locally authenticated attacker with access to the ssh operational command to escalate their privileges on the system to root, or if there is user interaction on the local device to potentially escalate privileges on a remote system to root. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S5-EVO; 21.1-EVO versions prior to 21.1R3-EVO; 21.2-EVO versions prior to 21.2R2-S1-EVO, 21.2R3-EVO; 21.3-EVO versions prior to 21.3R2-EVO. This issue does not affect Juniper Networks Junos OS. | ||||
| CVE-2025-3224 | 1 Docker | 1 Desktop | 2025-05-10 | 7.8 High |
| A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege. | ||||
| CVE-2025-4085 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-05-09 | 7.1 High |
| An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. This vulnerability affects Firefox < 138 and Thunderbird < 138. | ||||
| CVE-2022-43749 | 1 Synology | 1 Presto File Server | 2025-05-09 | 4.3 Medium |
| Improper privilege management vulnerability in summary report management in Synology Presto File Server before 2.1.2-1601 allows remote authenticated users to bypass security constraint via unspecified vectors. | ||||
| CVE-2024-21111 | 2 Microsoft, Oracle | 2 Windows, Vm Virtualbox | 2025-05-09 | 7.8 High |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | ||||
| CVE-2022-28169 | 1 Broadcom | 1 Fabric Operating System | 2025-05-09 | 8.8 High |
| Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose role is not an admin can create a new user with an admin role using the operator session id. The issue was replicated after intercepting the admin, and operator authorization headers sent unencrypted and editing a user addition request to use the operator's authorization header. | ||||
| CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2025-05-08 | 10 Critical |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-31690 | 3 Netapp, Redhat, Vmware | 5 Active Iq Unified Manager, Migration Toolkit Applications, Migration Toolkit Runtimes and 2 more | 2025-05-08 | 8.1 High |
| Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token. | ||||
| CVE-2017-10094 | 1 Oracle | 1 Agile Product Lifecycle Management | 2025-05-08 | N/A |
| Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | ||||
| CVE-2024-25842 | 1 Prestaworld | 1 Account Manager | 2025-05-08 | 7.5 High |
| An issue was discovered in Presta World "Account Manager - Sales Representative & Dealers - CRM" (prestasalesmanager) module for PrestaShop before version 9.0, allows remote attackers to escalate privilege and obtain sensitive information via the uploadLogo() and postProcess methods. | ||||
| CVE-2022-41835 | 1 F5 | 2 F5os-a, F5os-c | 2025-05-07 | 7.3 High |
| In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller. | ||||
| CVE-2022-34438 | 1 Dell | 1 Emc Powerscale Onefs | 2025-05-07 | 6.7 Medium |
| Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges could potentially exploit this vulnerability, leading to full system compromise. This impacts compliance mode clusters. | ||||
| CVE-2024-20282 | 1 Cisco | 1 Nexus Dashboard | 2025-05-07 | 6 Medium |
| A vulnerability in Cisco Nexus Dashboard could allow an authenticated, local attacker with valid rescue-user credentials to elevate privileges to root on an affected device. This vulnerability is due to insufficient protections for a sensitive access token. An attacker could exploit this vulnerability by using this token to access resources within the device infrastructure. A successful exploit could allow an attacker to gain root access to the filesystem or hosted containers on an affected device. | ||||
| CVE-2022-38060 | 2 Openstack, Redhat | 2 Kolla, Openstack | 2025-05-07 | 8.8 High |
| A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges. | ||||
| CVE-2025-3852 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 8.8 High |
| The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | ||||
| CVE-2025-4335 | 2025-05-07 | 8.8 High | ||
| The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | ||||
| CVE-2025-47420 | 2025-05-07 | N/A | ||
| 266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49. | ||||
| CVE-2022-3419 | 1 Addify | 1 Automatic User Roles Switcher | 2025-05-06 | 6.5 Medium |
| The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administrator | ||||
| CVE-2022-32907 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2025-05-06 | 7.8 High |
| This issue was addressed with improved checks. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges. | ||||
| CVE-2022-32794 | 1 Apple | 2 Mac Os X, Macos | 2025-05-06 | 7.8 High |
| A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-004 Catalina, macOS Monterey 12.4, macOS Big Sur 11.6.6. An app may be able to gain elevated privileges. | ||||