Total
2222 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-36024 | 1 Microsoft | 1 Edge Chromium | 2025-04-29 | 7.1 High |
| Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | ||||
| CVE-2025-29800 | 2025-04-29 | 7.8 High | ||
| Improper privilege management in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2021-3919 | 1 Hp | 106 Command Center, Envy 13t-bd100, Envy 13z-ay100 and 103 more | 2025-04-29 | 9.8 Critical |
| A potential security vulnerability has been identified in OMEN Gaming Hub and in HP Command Center which may allow escalation of privilege and/or denial of service. HP has released software updates to mitigate the potential vulnerability. | ||||
| CVE-2022-0222 | 1 Schneider-electric | 28 Modicon M340 Bmxnoe0100, Modicon M340 Bmxnoe0100 Firmware, Modicon M340 Bmxnoe0110 and 25 more | 2025-04-29 | 7.5 High |
| A CWE-269: Improper Privilege Management vulnerability exists that could cause a denial of service of the Ethernet communication of the controller when sending a specific request over SNMP. Affected products: Modicon M340 CPUs(BMXP34* versions prior to V3.40), Modicon M340 X80 Ethernet Communication modules:BMXNOE0100 (H), BMXNOE0110 (H), BMXNOR0200H RTU(BMXNOE* all versions)(BMXNOR* versions prior to v1.7 IR24) | ||||
| CVE-2021-34579 | 1 Phoenixcontact | 1 Fl Mguard Dm | 2025-04-29 | 7.5 High |
| In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections. | ||||
| CVE-2025-3101 | 2025-04-29 | 8.8 High | ||
| The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change escalate their privileges to Administrator. | ||||
| CVE-2025-3761 | 2025-04-29 | 8.8 High | ||
| The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator. | ||||
| CVE-2025-2238 | 2025-04-29 | 8.8 High | ||
| The Vikinger theme for WordPress is vulnerable to privilege in all versions up to, and including, 1.9.30. This is due to insufficient user_meta restrictions in the 'vikinger_user_meta_update_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator-level. | ||||
| CVE-2025-3224 | 2025-04-29 | N/A | ||
| A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege. | ||||
| CVE-2025-46576 | 2025-04-29 | 5.4 Medium | ||
| There is a Permission Management and Access Control vulnerability in the GoldenDB database product. Attackers can manipulate requests to bypass privilege restrictions and delete content. | ||||
| CVE-2024-42798 | 2 Kashipara, Lopalopa | 2 Music Management System, Music Management System | 2025-04-28 | 7.6 High |
| An Incorrect Access Control vulnerability was found in /music/index.php?page=user_list and /music/index.php?page=edit_user in Kashipara Music Management System v1.0. This allows a low privileged attacker to take over the administrator account. | ||||
| CVE-2024-42995 | 1 Vtiger | 1 Vtiger Crm | 2025-04-28 | 8.3 High |
| VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules. | ||||
| CVE-2023-38614 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-04-25 | 4.3 Medium |
| A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to access sensitive user data. | ||||
| CVE-2025-28399 | 1 Exrick | 1 Xmall | 2025-04-25 | 9.8 Critical |
| An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class. | ||||
| CVE-2022-46410 | 1 Veritas | 1 Netbackup Flex Scale Appliance | 2025-04-24 | 8.8 High |
| An issue was discovered in Veritas NetBackup Flex Scale through 3.0. An attacker with non-root privileges may escalate privileges to root by using specific commands. | ||||
| CVE-2023-52431 | 2 Plack\, Plack Middleware | 2 \, Xsrf Block Package For Perl | 2025-04-24 | 8.8 High |
| The Plack::Middleware::XSRFBlock package before 0.0.19 for Perl allows attackers to bypass a CSRF protection mechanism via an empty form value and an empty cookie (if signed cookies are disabled). | ||||
| CVE-2022-32633 | 3 Google, Mediatek, Yoctoproject | 50 Android, Mt6580, Mt6739 and 47 more | 2025-04-24 | 6.7 Medium |
| In Wi-Fi, there is a possible memory access violation due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441637; Issue ID: ALPS07441637. | ||||
| CVE-2022-23737 | 1 Github | 1 Enterprise Server | 2025-04-24 | 6.5 Medium |
| An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, and 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2022-23604 | 1 X26-cogs Project | 1 X26-cogs | 2025-04-23 | 8.8 High |
| x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround. | ||||
| CVE-2022-24750 | 1 Uvnc | 1 Ultravnc | 2025-04-23 | 8.8 High |
| UltraVNC is a free and open source remote pc access software. A vulnerability has been found in versions prior to 1.3.8.0 in which the DSM plugin module, which allows a local authenticated user to achieve local privilege escalation (LPE) on a vulnerable system. The vulnerability has been fixed to allow loading of plugins from the installed directory. Affected users should upgrade their UltraVNC to 1.3.8.1. Users unable to upgrade should not install and run UltraVNC server as a service. It is advisable to create a scheduled task on a low privilege account to launch WinVNC.exe instead. There are no known workarounds if winvnc needs to be started as a service. | ||||