Total
2496 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59693 | 1 Entrust | 11 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc and 8 more | 2025-12-15 | 9.8 Critical |
| The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to obtain debug access and escalate privileges by bypassing the tamper label and opening the chassis without leaving evidence, and accessing the JTAG connector. This is called F02. | ||||
| CVE-2025-12952 | 1 Google | 1 Cloud Dialogflow Cx | 2025-12-12 | N/A |
| A privilege escalation vulnerability exists in Google Cloud's Dialogflow CX. Dialogflow agent developers with Webhook editor permission are able to configure Webhooks using Dialogflow service agent access token authentication. This allows the attacker to escalate their privileges from agent-level to project-level, granting them unauthorized access to manage resources in services associated with the project, leading to unexpected costs and resource depletion for the producer project. A fix was applied on the server side to protect from this vulnerability in February 2025. No customer action is required. | ||||
| CVE-2025-13764 | 1 Wordpress | 1 Wordpress | 2025-12-12 | 9.8 Critical |
| The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the 'WP_CarDealer_User::process_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | ||||
| CVE-2024-0353 | 1 Eset | 11 Endpoint Antivirus, Endpoint Security, File Security and 8 more | 2025-12-10 | 7.8 High |
| Local privilege escalation vulnerability potentially allowed an attacker to misuse ESET’s file operations to delete files without having proper permission. | ||||
| CVE-2024-38089 | 1 Microsoft | 1 Defender For Iot | 2025-12-09 | 9.1 Critical |
| Microsoft Defender for IoT Elevation of Privilege Vulnerability | ||||
| CVE-2025-66324 | 1 Huawei | 1 Harmonyos | 2025-12-09 | 8.4 High |
| Input verification vulnerability in the compression and decompression module. Impact: Successful exploitation of this vulnerability may affect app data integrity. | ||||
| CVE-2025-59705 | 1 Entrust | 11 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc and 8 more | 2025-12-08 | 6.8 Medium |
| Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to Escalate Privileges by enabling the USB interface through chassis probe insertion during system boot, aka "Unauthorized Reactivation of the USB interface" or F01. | ||||
| CVE-2025-59697 | 1 Entrust | 11 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc and 8 more | 2025-12-08 | 7.2 High |
| Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by editing the Legacy GRUB bootloader configuration to start a root shell upon boot of the host OS. This is called F06. | ||||
| CVE-2025-13292 | 1 Google | 1 Cloud Apigee-x | 2025-12-08 | N/A |
| A vulnerability in Apigee-X allowed an attacker to gain unauthorized read and write access to Apigee Analytics (AX) data and access logs belonging to other Apigee customer organizations. Apigee-X was found to be vulnerable. This vulnerability was patched in version 1-16-0-apigee-3. No user action is required for this. | ||||
| CVE-2024-32959 | 2 Sirv, Wordpress | 2 Sirv, Wordpress | 2025-12-06 | 8.8 High |
| Improper Privilege Management vulnerability in Sirv allows Privilege Escalation.This issue affects Sirv: from n/a through 7.2.2. | ||||
| CVE-2025-64336 | 2 Clip-bucket, Oxygenz | 2 Clipbucket, Clipbucket | 2025-12-05 | 5.4 Medium |
| ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Photos feature is vulnerable to stored Cross-site Scripting (XSS). An authenticated regular user can upload a photo with a malicious Photo Title containing HTML/JavaScript code. While the payload does not execute in the user-facing photo gallery or detail pages, it is rendered unsafely in the Admin → Manage Photos section, resulting in JavaScript execution in the administrator’s browser. This issue is fixed in version 5.5.2-#147. | ||||
| CVE-2018-1000141 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 9.1 Critical |
| I, Librarian version 4.9 and earlier contains an Incorrect Access Control vulnerability in ajaxdiscussion.php that can result in any users gaining unauthorized access (read, write and delete) to project discussions. | ||||
| CVE-2024-27301 | 1 Root3 | 1 Support App | 2025-12-05 | 7.3 High |
| Support App is an opensource application specialized in managing Apple devices. It's possible to abuse a vulnerability inside the postinstall installer script to make the installer execute arbitrary code as root. The cause of the vulnerability is the fact that the shebang `#!/bin/zsh` is being used. When the installer is executed it asks for the users password to be executed as root. However, it'll still be using the $HOME of the user and therefore loading the file `$HOME/.zshenv` when the `postinstall` script is executed. An attacker could add malicious code to `$HOME/.zshenv` and it will be executed when the app is installed. An attacker may leverage this vulnerability to escalate privilege on the system. This issue has been addressed in version 2.5.1 Rev 2. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-65621 | 1 Snipeitapp | 1 Snipe-it | 2025-12-04 | 5.4 Medium |
| Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | ||||
| CVE-2025-13534 | 3 Elextensions, Elula, Wordpress | 3 Elex Wordpress Plugin, Wsdesk, Wordpress | 2025-12-04 | 6.3 Medium |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to escalate their WSDesk privileges from limited "Reply Tickets" permissions to full helpdesk administrator capabilities, gaining unauthorized access to ticket management, settings configuration, agent administration, and sensitive customer data. | ||||
| CVE-2025-13542 | 2 Designthemes, Wordpress | 2 Designthemes Lms, Wordpress | 2025-12-04 | 9.8 Critical |
| The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | ||||
| CVE-2025-59790 | 1 Apache | 1 Kvrocks | 2025-12-04 | 5.4 Medium |
| Improper Privilege Management vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue. | ||||
| CVE-2025-13787 | 2 Easycorp, Zentao | 2 Zentao, Zentao | 2025-12-04 | 5.4 Medium |
| A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component. | ||||
| CVE-2017-0358 | 2 Debian, Tuxera | 2 Debian Linux, Ntfs-3g | 2025-12-04 | 7.8 High |
| Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation. | ||||
| CVE-2025-33188 | 1 Nvidia | 3 Dgx, Dgx Os, Dgx Spark | 2025-12-02 | 8 High |
| NVIDIA DGX Spark GB10 contains a vulnerability in hardware resources where an attacker could tamper with hardware controls. A successful exploit of this vulnerability might lead to information disclosure, data tampering, or denial of service. | ||||