Search Results (9564 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-3057 1 Purestorage 1 Flasharray 2026-04-15 9.8 Critical
A flaw exists whereby a user can make a specific call to a FlashArray endpoint allowing privilege escalation.
CVE-2024-6322 1 Grafana 2 Grafana, Grafana Enterprise 2026-04-15 4.4 Medium
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
CVE-2025-53914 1 Calix 1 Gigacenter Ont 2026-04-15 N/A
Excessive Privileges vulnerability in Calix GigaCenter ONT (Broadcom SoC modules) allows Privilege Abuse.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE, 812G, 813G, 818G.
CVE-2024-36587 1 Dnscrypt 1 Dnscrypt-proxy 2026-04-15 7.8 High
Insecure permissions in DNSCrypt-proxy v2.0.0alpha9 to v2.1.5 allows non-privileged attackers to escalate privileges to root via overwriting the binary dnscrypt-proxy.
CVE-2024-36586 1 Adguard 1 Adguardhome 2026-04-15 8.8 High
An issue in AdGuardHome v0.93 to latest allows unprivileged attackers to escalate privileges via overwriting the AdGuardHome binary.
CVE-2025-15151 1 Talelin 1 Lin-cms 2026-04-15 3.7 Low
A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration file. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized.
CVE-2025-60222 3 Fantasticplugins, Woocommerce, Wordpress 3 Sumo Memberships For Woocommerce, Woocommerce, Wordpress 2026-04-15 8.8 High
Incorrect Privilege Assignment vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Privilege Escalation.This issue affects SUMO Memberships for WooCommerce: from n/a through <= 7.8.0.
CVE-2024-28270 1 Enilu 1 Web-flash 2026-04-15 8.1 High
An issue discovered in web-flash v3.0 allows attackers to reset passwords for arbitrary users via crafted POST request to /prod-api/user/resetPassword.
CVE-2025-10374 1 Shenzhen Sixun 1 Business Management System 2026-04-15 7.3 High
A security flaw has been discovered in Shenzhen Sixun Business Management System 7/11. This affects an unknown part of the file /Adm/OperatorStop. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
CVE-2025-14252 1 Advantech 1 Susi 2026-04-15 7.8 High
An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers to read/write arbitrary memory, I/O ports, and MSRs, resulting in privilege escalation, arbitrary code execution, and information disclosure. This issue affects Advantech SUSI: 5.0.24335 and prior.
CVE-2023-26009 1 Favethemes 1 Houzez 2026-04-15 9.8 Critical
Improper Privilege Management vulnerability in Favethemes Houzez Login Register allows Privilege Escalation.This issue affects Houzez Login Register: from n/a through 2.6.3.
CVE-2025-61152 2026-04-15 6.5 Medium
python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims (e.g., is_admin=true) and bypass authentication checks, leading to privilege escalation or unauthorized access in applications that rely on python-jose for token validation. This issue is exploitable unless developers explicitly reject 'alg=none' tokens, which is not enforced by the library. NOTE: all parties agree that the issue is not relevant because it only occurs in a "verify_signature": False situation.
CVE-2025-10992 1 Roncoo 1 Roncoo-pay 2026-04-15 5.3 Medium
A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Affected is an unknown function of the file /user/info/lookupList. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-53908 1 Rommapp 1 Romm 2026-04-15 N/A
RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch.
CVE-2024-22264 1 Vmware 1 Vmware Avi Load Balancer 2026-04-15 7.2 High
VMware Avi Load Balancer contains a privilege escalation vulnerability. A malicious actor with admin privileges on VMware Avi Load Balancer can create, modify, execute and delete files as a root user on the host system.
CVE-2024-1973 2026-04-15 8.5 High
By leveraging the vulnerability, lower-privileged users of Content Manager can manipulate Content Manager clients to elevate privileges and perform unauthorized operations.
CVE-2025-7973 1 Rockwellautomation 1 Factorytalk View 2026-04-15 N/A
A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.
CVE-2025-2345 2026-04-15 9.8 Critical
A vulnerability, which was classified as very critical, was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. This affects an unknown part. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-10657 1 Docker 1 Desktop 2026-04-15 N/A
In a hardened Docker environment, with Enhanced Container Isolation ( ECI https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/ ) enabled, an administrator can utilize the command restrictions feature https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/config/#command-restrictions  to restrict commands that a container with a Docker socket mount may issue on that socket. Due to a software bug, the configuration to restrict commands was ignored when passed to ECI, allowing any command to be executed on the socket. This grants excessive privileges by permitting unrestricted access to powerful Docker commands. The vulnerability affects only Docker Desktop 4.46.0 users that have ECI enabled and are using the Docker socket command restrictions feature. In addition, since ECI restricts mounting the Docker socket into containers by default, it only affects containers which are explicitly allowed by the administrator to mount the Docker socket.
CVE-2024-24892 2026-04-15 8.1 High
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Privilege Management vulnerability in openEuler migration-tools on Linux allows Command Injection, Restful Privilege Elevation. This vulnerability is associated with program files https://gitee.Com/openeuler/migration-tools/blob/master/index.Py. This issue affects migration-tools: from 1.0.0 through 1.0.1.