Total
2561 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-16902 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2026-02-23 | 7.2 HIGH | 7.8 HIGH |
|
<p>An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior.</p>
<p>A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>
<p>The security update addresses the vulnerability by correcting the input sanitization error to ...
Show More |
|||||
| CVE-2020-16875 | 1 Microsoft | 1 Exchange Server | 2026-02-23 | 9.0 HIGH | 8.4 HIGH |
|
<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments.</p>
<p>An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.</p>
<p>The security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.</p>
|
|||||
| CVE-2026-2563 | 1 Jdcloud | 2 Ax6600, Ax6600 Firmware | 2026-02-23 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Affected is the function set_stcreenen_deabled_status/get_status of the file /f/service/controlDevice of the component jdcapp_rpc. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-2562 | 1 Jdcloud | 2 Ax6600, Ax6600 Firmware | 2026-02-23 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was determined in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This impacts the function cast_streen of the file /jdcapi of the component jdcweb_rpc. Executing a manipulation of the argument File can lead to Remote Privilege Escalation. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-2561 | 1 Jdcloud | 2 Ax6600, Ax6600 Firmware | 2026-02-23 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This affects the function web_get_ddns_uptime of the file /jdcapi of the component jdcweb_rpc. Performing a manipulation results in Remote Privilege Escalation. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2022-4270 | 1 M-files | 1 M-files Server | 2026-02-23 | N/A | 2.0 LOW |
|
Incorrect privilege assignment issue in M-Files Web in M-Files Web versions before 22.5.11436.1 could have changed permissions accidentally.
|
|||||
| CVE-2022-4264 | 1 M-files | 1 M-files | 2026-02-23 | N/A | 6.5 MEDIUM |
|
Incorrect Privilege Assignment in M-Files Web (Classic) in M-Files before 22.8.11691.0 allows low privilege user to change some configuration.
|
|||||
| CVE-2022-1606 | 1 M-files | 1 M-files Server | 2026-02-23 | N/A | 2.4 LOW |
|
Incorrect privilege assignment in M-Files Server versions before 22.3.11164.0 and before 22.3.11237.1 allows user to read unmanaged objects.
|
|||||
| CVE-2026-21223 | 1 Microsoft | 1 Edge Chromium | 2026-02-22 | N/A | 7.1 HIGH |
|
Improper privilege management in Microsoft Edge (Chromium-based) allows an authorized attacker to bypass a security feature locally.
|
|||||
| CVE-2019-1177 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2026-02-20 | 4.6 MEDIUM | 7.0 HIGH |
|
An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.
To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.
The security update addresses the vulnerability by ensuring the rpcss.dll properly handles objects in memory.
|
|||||
| CVE-2019-1175 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2026-02-20 | 4.6 MEDIUM | 7.0 HIGH |
|
An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.
To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.
The security update addresses the vulnerability by ensuring the psmsrv.dll properly handles objects in memory.
|
|||||
| CVE-2019-1162 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2026-02-20 | 7.2 HIGH | 7.8 HIGH |
|
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).
An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially craft ...
Show More |
|||||
| CVE-2024-37133 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 6.7 MEDIUM |
|
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to unauthorized gain of root-level access.
|
|||||
| CVE-2024-25961 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 6.0 MEDIUM |
|
Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges.
|
|||||
| CVE-2024-37126 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 6.7 MEDIUM |
|
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to unauthorized gain of root-level access.
|
|||||
| CVE-2024-32854 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 6.7 MEDIUM |
|
Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contain an improper privilege management vulnerability. A local high privilege attacker could potentially exploit this vulnerability, leading to privilege escalation.
|
|||||
| CVE-2023-32490 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 6.7 MEDIUM |
|
Dell PowerScale OneFS 8.2x -9.5x contains an improper privilege management vulnerability. A high privilege local attacker could potentially exploit this vulnerability, leading to system takeover.
|
|||||
| CVE-2025-43722 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 6.7 MEDIUM |
|
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper privilege management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges.
|
|||||
| CVE-2021-21567 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | 4.6 MEDIUM | 7.8 HIGH |
|
Dell PowerScale OneFS 9.1.0.x contains an improper privilege management vulnerability. It may allow an authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE to elevate privilege.
|
|||||
| CVE-2023-32457 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 7.5 HIGH |
|
Dell PowerScale OneFS, versions 8.2.2.x-9.5.0.x, contains an improper privilege management vulnerability. A remote attacker with low privileges could potentially exploit this vulnerability, leading to escalation of privileges.
|
|||||
| CVE-2023-32487 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 7.8 HIGH |
|
Dell PowerScale OneFS, 8.2.x - 9.5.0.x, contains an elevation of privilege vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to denial of service, code execution and information disclosure.
|
|||||
| CVE-2026-24894 | 1 Php | 1 Frankenphp | 2026-02-20 | N/A | 7.5 HIGH |
|
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.
|
|||||
| CVE-2025-64487 | 1 Getoutline | 1 Outline | 2026-02-20 | N/A | 7.6 HIGH |
|
Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This vulnerability is fixed in 1.1.0.
|
|||||
| CVE-2025-10650 | 2026-02-20 | N/A | N/A | ||
|
SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH. Affects non-production debug and internal development builds created between versions 2.5.0 and 2.6.3. No generally available (GA) or customer-released production builds were affected. There is no evidence that this issue was exposed in customer environments or production deployments.
|
|||||
| CVE-2025-12882 | 2026-02-19 | N/A | 9.8 CRITICAL | ||
|
The Clasifico Listing plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0. This is due to the plugin allowing users who are registering new accounts to set their own role by supplying the 'listing_user_role' parameter. This makes it possible for unauthenticated attackers to gain elevated privileges by registering an account with the administrator role.
|
|||||
| CVE-2025-13563 | 2026-02-19 | N/A | 9.8 CRITICAL | ||
|
The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
|
|||||
| CVE-2025-13851 | 2026-02-19 | N/A | 9.8 CRITICAL | ||
|
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration pro ...
Show More |
|||||
| CVE-2026-0912 | 2026-02-19 | N/A | 8.8 HIGH | ||
|
The Toret Manager plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'trman_save_option' function and on the 'trman_save_option_items' in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administ ...
Show More |
|||||
| CVE-2026-1994 | 2026-02-19 | N/A | 9.8 CRITICAL | ||
|
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
|
|||||
| CVE-2025-8572 | 2026-02-18 | N/A | 9.8 CRITICAL | ||
|
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.
|
|||||
| CVE-2026-2144 | 2026-02-18 | N/A | 8.1 HIGH | ||
|
The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger ...
Show More |
|||||
| CVE-2025-67905 | 2026-02-18 | N/A | 8.7 HIGH | ||
|
Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and performs an insecure log file delete operation in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link, a related issue to CVE-2023-28892. To exploit this, an attacker must create a file in a given folder path and intercept the application log file deletion flow.
|
|||||
| CVE-2026-1750 | 2026-02-18 | N/A | 8.8 HIGH | ||
|
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.
|
|||||
| CVE-2026-23599 | 2026-02-18 | N/A | 7.8 HIGH | ||
|
A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking ClearPass OnGuard Software for Linux. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges.
|
|||||
| CVE-2024-50619 | 1 Cipplanner | 1 Cipace | 2026-02-13 | N/A | 8.8 HIGH |
|
Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. A low-privileged authenticated user can gain access to other people's accounts by tampering with the client's user id to change their account information. A low-privileged authenticated user can elevate his or her system privileges by modifying the information of a user role that is disabled in the client.
|
|||||
| CVE-2026-26010 | 1 Open-metadata | 1 Openmetadata | 2026-02-13 | N/A | 7.6 HIGH |
|
OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). This vulnera ...
Show More |
|||||
| CVE-2025-46310 | 1 Apple | 1 Macos | 2026-02-13 | N/A | 6.0 MEDIUM |
|
This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An attacker with root privileges may be able to delete protected system files.
|
|||||
| CVE-2026-25643 | 1 Frigate | 1 Frigate | 2026-02-11 | N/A | 9.1 CRITICAL |
|
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by a ...
Show More |
|||||
| CVE-2025-69875 | 1 Quickheal | 1 Total Security | 2026-02-11 | N/A | 7.8 HIGH |
|
A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation.
|
|||||
| CVE-2026-21533 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-02-11 | N/A | 7.8 HIGH |
|
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.
|
|||||