Search Results (9556 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-66428 1 Plesk 1 Obsidian 2026-04-15 8.8 High
An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation.
CVE-2025-37186 2 Hp, Linux 2 Aruba Virtual Intranet Access, Linux 2026-04-15 7.8 High
A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges.
CVE-2025-10650 1 Softiron 1 Hypercloud 2026-04-15 N/A
SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH. Affects non-production debug and internal development builds created between versions 2.5.0 and 2.6.3.  No generally available (GA) or customer-released production builds were affected.  There is no evidence that this issue was exposed in customer environments or production deployments.
CVE-2025-6723 1 Chef 1 Inspec 2026-04-15 N/A
Chef InSpec versions up to 5.23 and before 7.0.107 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23 and before 7.0.107
CVE-2024-4988 2026-04-15 7.5 High
The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage.
CVE-2025-32111 1 Acme.sh Project 1 Acme.sh 2026-04-15 8.7 High
The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout.
CVE-2024-52926 1 Delinea Privilege Manager 1 Delinea Privilege Manager 2026-04-15 6.5 Medium
Delinea Privilege Manager before 12.0.2 mishandles the security of the Windows agent.
CVE-2024-33393 1 Spidernet-io 1 Spiderpool 2026-04-15 6.2 Medium
An issue in spidernet-io spiderpool v.0.9.3 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.
CVE-2025-3418 2026-04-15 8.8 High
The WPC Admin Columns plugin for WordPress is vulnerable to privilege escalation in versions 2.0.6 to 2.1.0. This is due to the plugin not properly restricting user meta values that can be updated through the ajax_edit_save() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator.
CVE-2023-51481 2026-04-15 9.8 Critical
Improper Privilege Management vulnerability in powerfulwp Local Delivery Drivers for WooCommerce allows Privilege Escalation.This issue affects Local Delivery Drivers for WooCommerce: from n/a through 1.9.0.
CVE-2024-33374 1 Lb Link 1 Bl W1210m 2026-04-15 9.8 Critical
Incorrect access control in the UART/Serial interface on the LB-LINK BL-W1210M v2.0 router allows attackers to access the root terminal without authentication.
CVE-2025-53428 2 N-media, Wordpress 2 Simple User Registration, Wordpress 2026-04-15 8.8 High
Incorrect Privilege Assignment vulnerability in N-Media Simple User Registration wp-registration allows Privilege Escalation.This issue affects Simple User Registration: from n/a through <= 6.8.
CVE-2024-33226 2026-04-15 9.9 Critical
An issue in the component Access64.sys of Wistron Corporation TBT Force Power Control v1.0.0.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
CVE-2025-14778 1 Redhat 2 Build Keycloak, Build Of Keycloak 2026-04-15 5.4 Medium
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.
CVE-2024-22752 1 Easeus 1 Mobimover 2026-04-15 8.1 High
Insecure permissions issue in EaseUS MobiMover 6.0.5 Build 21620 allows attackers to gain escalated privileges via use of crafted executable launched from the application installation directory.
CVE-2024-53706 1 Sonicwall 1 Sonicos 2026-04-15 7.8 High
A vulnerability in the Gen7 SonicOS Cloud platform NSv, allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution.
CVE-2024-52334 1 Siemens 1 Syngo Plaza Vb30e 2026-04-15 5.3 Medium
A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF07). The affected application does not encrypt the passwords properly. This could allow an attacker to recover the original passwords and might gain unauthorized access.
CVE-2025-0139 2026-04-15 N/A
An incorrect privilege assignment vulnerability in Palo Alto Networks Autonomous Digital Experience Manager allows a locally authenticated low privileged user on macOS endpoints to escalate their privileges to root.
CVE-2025-2179 1 Palo Alto Networks 1 Globalprotect App 2026-04-15 N/A
An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on Linux devices enables a locally authenticated non administrative user to disable the app even if the GlobalProtect app configuration would not normally permit them to do so. The GlobalProtect app on Windows, macOS, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
CVE-2024-36439 2026-04-15 9.4 Critical
Swissphone DiCal-RED 4009 devices allow a remote attacker to gain access to the administrative web interface via the device password's hash value, without knowing the actual device password.