Privilege-Escalation

A critical missing authorization vulnerability, CVE-2026-48582, in Microsoft Exchange Online allows an already authenticated attacker to elevate their privileges over the network, potentially leading to unauthorized access to sensitive data or configuration changes within affected organizations.

A critical improper authentication vulnerability, CVE-2026-45480, in Microsoft Azure Active Directory allows an unauthorized attacker to bypass authentication mechanisms and elevate privileges over a network, potentially leading to full administrative control of Azure AD and associated resources.

A high-severity vulnerability (CVE-2026-53492) in containerd's CRI implementation allows an attacker with pod creation permissions to smuggle arbitrary Container Device Interface (CDI) annotations during container restoration, bypassing Kubernetes resource allocation and enabling unauthorized device and host mount injection into the restored container.

A local attacker can exploit CVE-2016-20095, an unquoted service path vulnerability in Matrix42 Remote Control Host version 3.20.0031, to achieve arbitrary code execution with SYSTEM privileges by placing a malicious executable named 'Program.exe' in the 'C:\Program Files\' directory, leading to privilege escalation when the vulnerable service starts.

An unquoted service path vulnerability, CVE-2016-20089, in Iperius Remote version 1.7.0 allows a local attacker to execute arbitrary code with SYSTEM privileges by placing a malicious executable in a specific directory when the legitimate service path contains spaces, enabling privilege escalation upon service restart or system reboot.

CVE-2026-47647 describes a critical improper access control vulnerability in Microsoft Dynamics 365 that allows an authorized attacker to elevate privileges over a network, potentially leading to full compromise of the affected system.

CVE-2026-25865 describes an unquoted search path element vulnerability in Yandex Punto Switcher through version 4.5.0.583, allowing local attackers to execute arbitrary code by placing a malicious `RunDll32.exe` earlier in the system's PATH to hijack the application's insecure `WinExec` call, leading to arbitrary code execution with affected user privileges.

Adversaries may create custom administrative roles in Google Workspace to establish persistence with tailored, elevated permissions, which are then assigned to compromised or attacker-controlled accounts to bypass security controls, grant OAuth access, or modify mail routing.

Adversaries leverage the assignment of administrative roles within Google Workspace to an existing or new user/group, establishing persistence and escalating privileges to gain broad control over the tenant, including bypassing single sign-on.

A critical external initialization vulnerability (CVE-2026-54003) in Kirby CMS allows unauthenticated attackers to create an initial admin account on sites running behind a reverse proxy, specifically when the proxy utilizes `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` headers, bypassing Kirby's `isLocal` check and enabling remote Panel installation with full administrative access.

Multiple vulnerabilities discovered in Typo3 allow an attacker to achieve remote arbitrary code execution, privilege escalation, data confidentiality compromise, data integrity compromise, security policy bypass, remote indirect code injection (XSS), and SQL injection (SQLi).

Multiple vulnerabilities, including CVE-2025-10263, CVE-2026-42487, CVE-2026-42488, CVE-2026-42489, and CVE-2026-42490, have been discovered in Xen, allowing an attacker to achieve privilege escalation, trigger a remote denial of service, and compromise data confidentiality on vulnerable hypervisor instances.

CERT-FR has disclosed 31 vulnerabilities in various Microsoft Office products, including CVE-2026-44803 and CVE-2026-47635, which could allow remote code execution, privilege escalation, and data confidentiality compromise.

Multiple vulnerabilities, including CVE-2026-45257 (kernel out-of-bounds write) and CVE-2026-49413 (Linux compatibility layer memory mapping), exist in FreeBSD branches 14 and 15, allowing a local unprivileged attacker to achieve privilege escalation.

Multiple vulnerabilities exist in X.Org X11 and Xwayland, allowing attackers to disclose information, escalate privileges, conduct denial-of-service attacks, and perform unspecified attacks.

Dräger Infinity Explorer C700 contains a privilege escalation vulnerability (CVE-2019-25718) that allows attackers to break out of kiosk mode, access the underlying operating system, and potentially cause the device to display incorrect patient monitor information.

CodexBar versions prior to 0.32.0 contain a privilege escalation vulnerability (CVE-2026-49134) due to a race condition in the CLI installer's temporary file handling, allowing local attackers to execute arbitrary commands as root.

This rule detects Linux process executions that reference /etc/kubernetes/manifests in process arguments, which may indicate tampering with static pod manifests for persistence or privilege escalation in Kubernetes environments.

A local attacker can exploit multiple vulnerabilities in Fujitsu ServerView to escalate privileges on the targeted system.

A local attacker can exploit a vulnerability in Red Hat Enterprise Linux (crun) to escalate their privileges, potentially gaining root access.

The CIFSwitch vulnerability in the Linux kernel allows an unprivileged user to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges by loading a malicious NSS module.

CVE-2026-7459 is an authenticated account takeover vulnerability in the Simple History WordPress plugin where a subscriber-level user can read password reset emails and escalate privileges to an administrator account.

An authorization bypass vulnerability exists in praisonai-platform where any member can remove any other member, including the workspace owner, due to missing role checks and owner protection logic, allowing an attacker to lock the legitimate owner out of their own workspace, leading to a permanent denial-of-service and potential workspace takeover (CVE-2026-47409).

Praison AI's praisonai-platform is vulnerable to an insecure direct object reference (IDOR) in the label endpoints (CVE-2026-47414), allowing cross-workspace label modification and information disclosure due to improper validation of label and issue IDs.

PraisonAI Platform's workspace-scoped REST routes have an object-level authorization flaw allowing authenticated users from one workspace to access, modify, and delete objects in another workspace by providing the victim object's global UUID.

PraisonAI Platform is vulnerable to cross-workspace IDOR and member-role privilege escalation, allowing unauthorized users to read, update, or delete resources across workspaces, escalate privileges, and potentially take over accounts and workspaces due to insufficient access controls and role enforcement.

Stigmem nodes configured with authentication disabled could grant broad read/write/federation capabilities if exposed outside a loopback-only local development environment, leading to privilege escalation if exposed to untrusted networks; version 0.9.0a2 addresses this issue by disabling unauthenticated operations outside of loopback environments.

A public exploit demonstrates improper privilege management in Apache CouchDB (CVE-2017-12635) leading to privilege escalation, which can be combined with CVE-2017-12636 for remote code execution by modifying server configurations via the HTTP API.

Multiple vulnerabilities in Elastic Kibana allow for privilege escalation, remote denial of service, data breach, server-side request forgery (SSRF), and cross-site scripting (XSS).

A remote, authenticated attacker can exploit multiple vulnerabilities in OpenClaw to bypass security mechanisms, gain elevated privileges, disclose information, manipulate configurations, execute arbitrary commands or code, and attack internal systems via SSRF.

An authenticated remote attacker can exploit a vulnerability in Hirschmann HiSecOS to escalate privileges, potentially gaining unauthorized access and control over the affected system.

The OTP Login With Phone Number, OTP Verification plugin for WordPress versions 1.8.50 through 1.8.60 is vulnerable to authentication bypass due to improper validation of the Firebase session, allowing unauthenticated attackers to authenticate as arbitrary users, including administrators, by supplying a victim's phone number.

A local privilege escalation vulnerability in the Linux Kernel has a published exploit on Exploit-DB, potentially allowing unprivileged users to gain elevated privileges on vulnerable systems.

The WP Maps Pro plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8732), allowing unauthenticated attackers to create administrator accounts and take over vulnerable sites.

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation (CVE-2026-8809), allowing an unauthenticated attacker to create an administrator-level user by bypassing validation in versions up to 0.9.2.5 if a specific form is exposed.

CVE-2026-46824 allows a low-privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue versions 12.2.3-12.2.15, potentially leading to takeover and impact on additional products.

CVE-2026-46817 is a critical vulnerability in Oracle Payments component of Oracle E-Business Suite versions 12.2.3 through 12.2.15, allowing an unauthenticated attacker with network access via HTTP to compromise the application and potentially achieve complete takeover.

CVE-2026-46775 is a critical vulnerability in Oracle REST Data Services (Core component) versions 24.2.0-26.1.0, allowing a low-privileged attacker with network access via HTTPS to achieve complete takeover of the service and potentially impact other products.

The analytic detects ACL deletion on the domain root object in Active Directory by monitoring Windows Event Log Security event ID 5136, identifying significant AD changes with potentially high impact.

Detection of the Microsoft Software Licensing User Interface Tool (`slui.exe`) being executed with elevated privileges using the `-verb runas` parameter, indicating a potential privilege escalation attempt.

This analytic detects when a process running with low or medium integrity spawns an elevated process with high or system integrity in suspicious locations, potentially indicating successful privilege escalation by a threat actor.

This analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain using Windows Security Event Codes 4738 and 4742, which can be abused by adversaries to gain unauthorized access, maintain persistence, or escalate privileges by inheriting permissions from another account.

This Splunk search detects when the owner of an Active Directory object is updated, potentially granting full control privileges and enabling object hiding, focusing on Windows Event Log ID 5136, and includes lookups for SID resolution.

This analytic detects when an ACL is applied to an organizational unit (OU) to deny listing the objects residing in it; this activity, combined with modifying the owner of the OU, can hide Active Directory objects, even from domain administrators.

Modification of Access Control Lists (ACLs) on the Active Directory domain root object can grant attackers persistent and escalated privileges.

Detection of Active Directory user object ACL modifications that grant dangerous permissions, such as full control or the ability to modify permissions, potentially indicating privilege escalation or malicious activity.

Attackers create privileged accounts on Cisco IOS devices and then execute commands remotely via HTTP to gain privileged access.

This correlation search identifies multiple risk events associated with 'Living Off The Land' activity, leveraging the Risk data model to aggregate events, focusing on systems with a high count of distinct sources, potentially enabling attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.

A Splunk correlation search identifies potential Linux persistence and privilege escalation activities based on risk scores and event counts from various Linux-related data sources, highlighting behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system.

This correlation analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame, helping identify coordinated attempts to gain elevated privileges which could lead to unauthorized access to sensitive systems and data.

This rule detects potential privilege escalation attempts on Linux systems by monitoring the use of `unshare` with user namespace-related arguments followed by a UID change to root, indicating a transition to root and a potential local privilege escalation.

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification, leading to privilege escalation.

CVE-2026-8380 is a critical authorization bypass vulnerability in the WordPress Frontend File Manager plugin <= 23.6 that allows authenticated low-privilege users, or unauthenticated users with guest uploads enabled, to permanently delete arbitrary WordPress posts, pages, attachments, and custom post types.

A local attacker can exploit multiple vulnerabilities in the Linux Kernel to escalate privileges, cause a denial-of-service condition, disclose sensitive information, or perform an unspecified attack.

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2, allowing attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.

A local attacker can exploit a vulnerability in VMware Tanzu Spring Security to manipulate files, potentially leading to privilege escalation.

A vulnerability in Kata Containers allows a guest root user to escalate privileges to host root by exploiting the virtiofs shared file system to create arbitrary symlinks on the host.

Pimcore's CustomReports feature has a share bypass vulnerability due to inconsistent authorization checks between the report listing endpoint and the report detail endpoint, allowing low-privileged users to access report configurations without explicit sharing permissions.

Multiple vulnerabilities in Veeam Backup & Replication prior to version 13.0.2.29 allow an attacker to cause privilege escalation and compromise data integrity.

Multiple vulnerabilities in Joomla! versions before 5.4.6 and 6.x before 6.1.1 can allow attackers to perform privilege escalation, compromise data confidentiality, perform cross-site scripting (XSS), and conduct cross-site request forgery (CSRF) attacks.

IBM Netezza Performance Server Replication Services versions 3.0.2.0 through 3.0.5.0 allows an attacker with low-privileged access to escalate their privileges to root, leading to complete system compromise.

CVE-2026-1933 describes a vulnerability in Samba's handling of NTFS-style reparse points on read-only shares, allowing authenticated users with filesystem write permissions to modify reparse point metadata and potentially alter SMB-visible file behavior.

IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 is vulnerable to CVE-2024-56462, enabling a privileged user to upload a malicious backup archive that, upon restoration, leads to unauthorized access to the underlying operating system.

A local privilege escalation vulnerability exists in Realtek rtl819x Jungle SDK due to missing capability checks on ioctl commands, allowing unprivileged users to gain root privileges on affected Linux systems.

Synology BeeDrive for desktop before 1.3.2-13814 is vulnerable to an uncontrolled search path element, allowing local users to execute arbitrary code through a maliciously placed OpenSSL DLL component.

A local attacker can exploit a vulnerability in OpenVPN Connect on MacOS to escalate their privileges.

A remote, anonymous attacker can exploit multiple vulnerabilities in Apple macOS to gain root privileges, execute arbitrary code, cause a denial-of-service condition, disclose confidential information, modify data, or bypass security measures.

A local attacker can exploit a vulnerability in Insyde UEFI Firmware to execute arbitrary program code, potentially leading to privilege escalation and system compromise.

Multiple vulnerabilities in CODESYS could allow an attacker to escalate privileges, manipulate data, or cause a denial of service.

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8787) where an authenticated attacker with Subscriber-level access can log in as any existing user, including an Administrator, by submitting that user's email address to the `acb_firebase_auth` AJAX action without proper ownership verification, leading to full account takeover.

Kirby CMS is vulnerable to arbitrary method call via REST API search and collection query endpoints, allowing attackers to execute sensitive methods like password disclosure or privilege escalation, patched in versions 4.9.1 and 5.4.1.

code100x Mobile API contains an authentication bypass vulnerability (CVE-2026-8890) allowing unauthenticated attackers to impersonate arbitrary users by crafting a JSON payload in the 'g' HTTP header, skipping identity header validation and granting unauthorized access to course data.

CVE-2026-7374 allows an authenticated OpenShift user with edit permissions in a single namespace to escalate privileges to full cluster control by exploiting improper symlink validation in KubeVirt's virt-handler component when connecting to VM console sockets.

Flash Slideshow Maker Professional 5.20 is vulnerable to a buffer overflow in the registration dialog, allowing local attackers to execute arbitrary code with system privileges by exploiting structured exception handling and crafting a malicious payload for the Name and Code fields.

Splinterware System Scheduler Pro 5.12 is vulnerable to privilege escalation (CVE-2018-25359) due to insecure file permissions, allowing low-privilege users to replace the service executable with a malicious one, leading to arbitrary code execution as LocalSystem.

CVE-2026-47280 is an improper authentication vulnerability in Azure Resource Manager (ARM) that allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-42901 is an origin validation error in Microsoft Entra ID that allows an unauthorized attacker to elevate privileges over a network, potentially granting them unauthorized access and control.

CVE-2026-33843 allows an unauthorized attacker to elevate privileges over a network in Microsoft Azure Active Directory B2C due to an authentication bypass using an alternate path or channel.

10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code via SEH overwrite.

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check (CVE-2026-6898), allowing authenticated attackers with subscriber-level access or higher to update the REST API Secret Key, create administrator accounts, and achieve complete site takeover.

CVE-2026-6897 is a critical vulnerability in the Wishlist Member plugin for WordPress, allowing authenticated attackers with subscriber-level access to modify plugin settings, including the REST API secret key, ultimately enabling them to create administrator accounts and take over the entire site.

The WishList Member plugin for WordPress is vulnerable to Missing Authorization, allowing attackers to obtain the REST API Secret Key and escalate privileges to administrator.

The WishList Member plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6419) due to a missing capability and nonce check in the ajax_get_screen() function, allowing authenticated attackers with subscriber-level access to retrieve the plugin's REST API Secret Key and create administrator accounts, leading to complete site takeover.

CVE-2026-35430 allows an authorized attacker to elevate privileges over a network in Azure Privileged Identity Management (PIM) through a user-controlled key.

CVE-2026-23663 is a privilege escalation vulnerability in Azure Entra ID that allows an unauthorized attacker to elevate privileges over a network.

Dell PowerFlex Manager versions 4.6.2 and earlier contain an Incorrect Privilege Assignment vulnerability (CVE-2025-32747) that allows a low-privileged attacker with local access to elevate privileges.

A local attacker can exploit vulnerabilities in Ivanti Secure Access Client to manipulate files or escalate privileges, potentially gaining elevated access to the system.

Multiple vulnerabilities in the Intel NPU Driver allow a local attacker to escalate privileges and cause a denial of service.

A remote, authenticated attacker can exploit multiple vulnerabilities in LiteLLM to escalate their privileges.

A remote, anonymous attacker can exploit a vulnerability in SUSE Manager to execute arbitrary program code with administrator privileges, leading to potential system compromise.

A RoleMember in Nezha monitoring dashboard can achieve cross-tenant remote code execution by injecting arbitrary commands into cron tasks due to insufficient authorization checks, impacting all monitored hosts in the deployment.

A vulnerability in the Debian LTS Linux kernel allows attackers to perform privilege escalation and breach data confidentiality, specifically affecting Debian 11 bullseye versions prior to 5.10.251-5 and 6.1.172-1~deb11u1; tracked as CVE-2026-46333.

A remote, authenticated attacker can exploit a vulnerability in TeamViewer to escalate privileges on a compromised system.

An anonymous, remote attacker can exploit multiple unspecified vulnerabilities in Microsoft Entra ID and Microsoft Azure Resource Manager to escalate privileges.

Multiple vulnerabilities in Trend Micro Apex One could allow an attacker to execute arbitrary code and escalate privileges on affected systems.

CVE-2026-9018 allows unauthenticated attackers to escalate privileges to administrator by exploiting a vulnerability in the Easy Elements for Elementor plugin, which lacks proper input validation during user registration.

Boxlite, a sandbox service, allows malicious code within a container to bypass read-only restrictions on mounted host directories using virtiofs, due to missing hypervisor-level enforcement and unrestricted kernel capabilities, leading to potential code execution on the host and supply chain risks.

A vulnerability in containerd allows for bypassing the Kubernetes `runAsNonRoot` restriction by exploiting a misinterpretation of large numeric User directives in container images, potentially leading to container execution as root (UID 0); this is tracked as CVE-2026-46680 and CVE-2024-40635.

@hulumi/policies versions before 1.3.2 improperly inspect inline and attached IAM policies, potentially allowing admin-equivalent policy paths to bypass the administrator-policy guardrail, resulting in a CIS 1.16 admin policy bypass.

MCP Server Kubernetes versions before 3.6.0 have an access control bypass vulnerability (CVE-2026-46519) where tool access controls are enforced only at the discovery layer, allowing authenticated clients to invoke any Kubernetes tool regardless of configured restrictions, potentially leading to cluster compromise.

Fission runtime pods were created with the `fission-fetcher` service account, granting namespace-wide `get` access to secrets and configmaps; the runtime pod's automounted token was reachable from inside the user's function container, allowing user-supplied function code to inherit the same Kubernetes API privileges and read any secret or configmap in the function's namespace, far beyond the intended `Function.spec.secrets` allowlist.

Amazon SageMaker Python SDK exposes an HMAC signing key in cleartext via API calls, enabling a remote authenticated actor to forge model artifacts and achieve code execution.

samlify's template substitution only escapes attribute contexts, leaving values inserted into element text (e.g., `<saml:AttributeValue>`) unescaped, allowing a normal user to inject XML markup into an attribute value and add new `<saml:Attribute>` elements inside the signed assertion, leading to privilege escalation when attributes are used for authorization (CVE-2026-46490).

A local exploit has been published for Lenovo LegionSpace 1.7.11.2, detailing an Unquoted Service Path vulnerability in the 'DAService', potentially leading to local privilege escalation.

This rule detects passwordless sudo probing activity on Linux systems, which can indicate an attacker attempting to enumerate allowed commands and potential privilege escalation.

Multiple vulnerabilities in Budibase could be exploited by an attacker to gain administrative privileges, bypass security measures, perform cross-site scripting attacks, manipulate data, or disclose confidential information.

CVE-2026-5118 is a critical vulnerability in the Divi Form Builder WordPress plugin (versions 5.1.2 and earlier) that allows unauthenticated attackers to create administrator accounts directly through the registration form, leading to full site takeover.

CVE-2026-41091 is a link following vulnerability in Microsoft Defender that allows an authorized attacker to escalate privileges locally.

CVE-2026-20223: An unauthenticated, remote attacker can access Cisco Secure Workload site resources with Site Admin privileges by sending a crafted API request, due to insufficient validation and authentication of REST API endpoints.

Multiple vulnerabilities in Mozilla Firefox ESR, Firefox, Firefox for iOS, and Thunderbird products can lead to arbitrary code execution, privilege escalation, and remote denial of service.

Rsync versions before 3.4.3 are vulnerable to a TOCTOU race condition allowing attackers with write access to a module path to redirect file writes outside intended directories by replacing parent directory components with symbolic links, potentially leading to privilege escalation when the daemon runs with elevated privileges and chroot is disabled.

Multiple vulnerabilities in Rsync could be exploited by an attacker to elevate privileges, disclose information, bypass security precautions, and perform a denial of service attack.

A local attacker can exploit a vulnerability in Broadcom Automic Automation Agent Unix to escalate their privileges, potentially gaining unauthorized access to sensitive data and system resources.

A local attacker can exploit a vulnerability in Microsoft Azure Portal Windows Admin Center to gain administrator rights, potentially leading to unauthorized access and control over Azure resources.

Multiple vulnerabilities in Microsoft Defender and Microsoft Malware Protection Engine could allow an attacker to elevate privileges, execute arbitrary code, and cause a denial of service condition.

Multiple vulnerabilities in Mozilla Firefox, Firefox ESR, and Thunderbird could allow a remote attacker to execute arbitrary code, disclose information, bypass security restrictions, deceive the user, escalate privileges, or cause a denial-of-service condition.

Multiple vulnerabilities in Vaultwarden allow a remote, anonymous attacker to gain user privileges and disclose sensitive information.

Multiple vulnerabilities in Nvidia GPU Display Drivers allow a local attacker to escalate privileges, manipulate data, disclose information, cause a denial of service, or execute code.

The AcyMailing plugin for WordPress is vulnerable to a missing authorization issue (CVE-2026-5200), allowing authenticated attackers with subscriber-level access to modify privileged AcyMailing configuration, export subscriber secret keys, and potentially achieve administrator account takeover if the administrator's email address is known.

The Read More & Accordion plugin for WordPress is vulnerable to privilege escalation due to insufficient restrictions on database table writes and data validation during import, allowing authenticated attackers to create administrator accounts.

The Account Switcher plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6456) due to a loose comparison and lack of validation on the `rememberLogin` REST API endpoint, allowing authenticated attackers to gain administrator privileges.

The Easy Elements for Elementor plugin for WordPress is vulnerable to privilege escalation (CVE-2026-7284) due to unrestricted user role assignment during registration, allowing unauthenticated attackers to gain administrator access.

CVE-2026-31635, dubbed DirtyDecrypt, is a local privilege escalation vulnerability in the Linux kernel's rxrpc subsystem (rxgk component), allowing an unprivileged user to corrupt page cache and achieve arbitrary file writes, leading to root access on kernels 6.10 to 6.13 with CONFIG_RXGK enabled.

Windmill versions prior to 1.703.2 are vulnerable to incorrect default permissions in the nsjail sandbox configuration, allowing authenticated users to inject malicious entries into critical system files, leading to potential privilege escalation and man-in-the-middle attacks.

The Motorola Factory Test component (com.motorola.motocit) contains an improper authentication vulnerability, allowing a local attacker to bypass permission checks and access protected device settings by leveraging a writable file descriptor in external storage to open a TCP server.

Multiple vulnerabilities have been disclosed in SonicWall Gen6 and Gen7 firewalls, SonicOS, and NSv that can be exploited for authentication bypass, remote code execution, and privilege escalation, specifically CVE-2024-40762, CVE-2024-53704, CVE-2024-53705, and CVE-2024-53706; a proof of concept exploit is available for CVE-2024-53704, which, if exploited, can lead to internal network access and further attacks, including ransomware deployment.

Argo CD is vulnerable to stored cross-site scripting (XSS) via manipulated application link annotations, allowing a low-privileged user to execute arbitrary JavaScript in a higher-privileged user's session, leading to privilege escalation.

The HAXcms Node.js backend contains two cryptographic implementation errors in the `hmacBase64()` function that allow an unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.

Multiple vulnerabilities in Docker allow a local attacker to execute arbitrary code with administrator privileges, cause a denial-of-service condition, or manipulate data.

A vulnerability in the cloud-init component of Red Hat Enterprise Linux allows an attacker from an adjacent network to gain administrator privileges.

CVE-2026-31704 is a vulnerability in ksmbd related to the use of check_add_overflow() to prevent a u16 DACL size overflow, potentially leading to denial of service or privilege escalation.

A race condition in Docker's `docker cp` command allows a malicious container to redirect a bind mount target to an arbitrary host path by manipulating symlinks during the setup of temporary filesystem views, potentially overwriting host files or causing denial of service.

A vulnerability exists in Docker where a malicious container image can execute arbitrary code with host root privileges by exploiting the decompression of compressed archives uploaded via the `PUT /containers/{id}/archive` endpoint, tracked as CVE-2026-41567.

A privilege escalation vulnerability exists in Budibase's `onboardUsers` endpoint (CVE-2026-45716) allowing a builder-level user to create global admin accounts by bypassing the intended invite flow when SMTP is not configured, due to insufficient authorization checks and direct user creation with attacker-controlled roles.

When ENABLE_MULTI_TENANT=true, n8n-mcp requests that omit x-n8n-url or x-n8n-key headers silently fall back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance; an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own, leading to potential data access and code execution on the operator's n8n instance.

Threat actors are actively disabling antivirus and EDR solutions through abusing Windows Firewall rules, uninstalling agents, and exploiting vulnerable drivers (BYOVD) to establish persistence, move laterally, and deploy ransomware undetected.

CVE-2026-42822 is an elevation of privilege vulnerability in Azure Local Disconnected Operations (ALDO) due to improper authentication, allowing unauthorized network attackers to escalate privileges.

Multiple Livewire components in the Shopper framework admin panel allowed authenticated low-privilege users to bypass authorization and mutate data without the required permissions, leading to potential privilege escalation and cross-site scripting.

Dify version 1.14.1 and prior contain a path traversal vulnerability (CVE-2026-41948) that allows authenticated users to manipulate requests to the Plugin Daemon's internal REST API and access internal endpoints by traversing out of their authorized tenant path.

Dify version 1.14.1 and prior contains an authorization bypass vulnerability (CVE-2026-41947) that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership, potentially leading to information disclosure by redirecting application messages to attacker-controlled LLM trace providers.

Arcane's REST API lacks proper admin authorization checks on Git repository management endpoints, allowing any authenticated user to exfiltrate stored Git credentials and tamper with GitOps configurations by redirecting credential requests to an attacker-controlled host.

This detection rule identifies suspicious executions of SUID binaries that may be used for privilege escalation on Linux systems, focusing on scenarios where the real user and parent user are not root, combined with minimal argument counts and suspicious parent contexts.

This rule detects potential privilege escalation under the root effective user when the real user and parent user are not root, indicative of the execution of binaries with SUID or SGID bits set, often exploited by adversaries to gain elevated access on Linux systems.

Detects Kubernetes API requests where a user is impersonating a privileged cluster identity such as system:kube-controller-manager, system:admin, system:anonymous, or a member of the system:masters group, potentially leading to privilege escalation and unauthorized access.

Multiple vulnerabilities in Webmin allow an attacker to bypass security measures and execute arbitrary code with administrator privileges, leading to potential system compromise.

The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin is vulnerable to privilege escalation (CVE-2026-8719) due to missing capability enforcement, allowing authenticated users (Subscriber+) to invoke admin-level MCP tools and gain administrator privileges.

VX Search 13.5.28 is vulnerable to an unquoted service path vulnerability (CVE-2021-47974) in both VX Search Server and VX Search Enterprise services, allowing local attackers to escalate privileges by placing malicious executables in unquoted path directories.

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability (CVE-2020-37247) in the KiteService Windows service that allows local attackers to escalate privileges by placing a malicious executable in a directory due to the unquoted service path.

Advanced System Care Service 13.0.0.157 suffers from an unquoted service path vulnerability allowing local attackers to escalate privileges by placing a malicious executable in the system root path.

Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service, allowing local attackers to escalate privileges by placing malicious executables in the unquoted path directories, leading to arbitrary code execution with LocalSystem privileges.

Syncplify.me Server! version 5.0.37 contains an unquoted service path vulnerability (CVE-2020-37230) in the SMWebRestServicev5 service, allowing a local attacker to escalate privileges by placing a malicious executable in the service path.

OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service, allowing local attackers to escalate privileges by inserting executable files into the unquoted path.

Multiple vulnerabilities in Strapi could allow an attacker to cause a denial-of-service condition, gain administrator privileges, manipulate data, disclose confidential information, or bypass security measures.

Multiple vulnerabilities in cPanel/WHM allow an attacker to escalate privileges, perform SQL injection with root privileges, manipulate data, or disclose sensitive information.

A remote, anonymous attacker can exploit a vulnerability in the Cisco Catalyst SD-WAN Controller to gain administrator rights and manipulate the network configuration.

Multiple vulnerabilities in the Palo Alto Networks GlobalProtect App could allow an attacker to gain administrator privileges, execute arbitrary code with administrator privileges, disclose sensitive information, manipulate data, and cause a denial-of-service condition.

Multiple vulnerabilities in F5 BIG-IP products could allow an attacker to execute arbitrary code, gain elevated privileges, bypass security measures, manipulate or disclose data, or cause a denial-of-service condition.

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6228) in versions up to and including 3.28.36, allowing unauthenticated attackers to gain administrator privileges.

Multiple vulnerabilities in SAP software could allow an attacker to perform SQL injection, gain elevated privileges, execute arbitrary code, bypass security measures, perform cross-site scripting attacks, manipulate data, disclose sensitive information, or cause other unspecified impacts.

Multiple vulnerabilities in AMD EPYC, Athlon, and Ryzen processors can be exploited by an attacker to execute arbitrary code, escalate privileges, bypass security measures, cause a denial-of-service condition, disclose sensitive information, or manipulate data.

Multiple vulnerabilities exist in Microsoft Windows products, enabling attackers to execute arbitrary code, escalate privileges, perform denial-of-service attacks, disclose information, or bypass security measures.

Open WebUI is vulnerable to privilege escalation and code execution because a missing authorization check on the tool update endpoint allows a user with write access to a tool to replace the tool's server-side Python content and trigger execution, bypassing the intended `workspace.tools` security boundary.

Open WebUI is vulnerable to cross-user file access due to unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints, allowing authenticated users to exfiltrate or overwrite other users' private files given the file UUID (CVE-2026-45402).

Open WebUI versions 0.8.12 and earlier are vulnerable to a time-of-check-time-of-use (TOCTOU) race condition in the LDAP and OAuth authentication flows, allowing multiple concurrent requests on a fresh instance to bypass the first-user admin role assignment and resulting in multiple admin accounts (CVE-2026-45675).

Open WebUI versions prior to 0.8.6 contain a vulnerability in the chat completion API that allows attackers to bypass tool restrictions by invoking any server tool with elevated privileges by supplying the correct tool_id or tool_servers parameters; this issue is tracked as CVE-2026-45350.

Crabbox versions prior to v0.12.0 contain a privilege escalation vulnerability (CVE-2026-8629) that allows users with visibility-only access to obtain elevated agent tickets and impersonate trusted lease-side bridges via unauthorized POST requests to specific ticket endpoints.

Portainer is vulnerable to an endpoint security bypass via Swarm service create/update, enabling non-admin users with access to a Docker Swarm endpoint to bypass `EndpointSecuritySettings` restrictions and gain elevated privileges such as configuring services with elevated Linux capabilities, disabling syscall filtering and AppArmor confinement, setting arbitrary sysctl values, and mounting arbitrary host paths.

Portainer versions 2.33.0 through 2.33.7, 2.39.0 through 2.39.1, and 2.40.0 through 2.40.9 are vulnerable to CVE-2026-44850, a bind-mount restriction bypass via the `HostConfig.Mounts` array allowing regular users to mount host paths into containers and potentially compromise the host filesystem.

Portainer versions 2.33.0 through 2.33.7 are vulnerable to an authorization bypass in the `kubeClientMiddleware` component, allowing users with valid Portainer sessions to bypass Kubernetes authorization checks and access Kubernetes API endpoints on environments that their role should not permit (CVE-2026-44882).

Portainer versions 2.33.0 through 2.33.7, 2.39.0 through 2.39.1, and 2.40.0 expose a missing authorization vulnerability (CVE-2026-44848) on the Docker plugin management endpoints, allowing a non-admin user with access to a Docker endpoint to install and enable arbitrary Docker plugins from any registry, ultimately leading to root privileges on the Docker host and unauthorized file system access.

A gym trainer in wger (<= 2.5) can escalate privileges to a gym manager by chaining calls to the trainer-login endpoint due to a flawed permission check, as tracked by CVE-2026-43978.

FlowiseAI versions 3.1.1 and earlier are vulnerable to a privilege escalation due to missing authentication and permission checks on the OpenAI Assistants Vector Store CRUD endpoints, allowing any authenticated user to create, modify, upload files to, and delete vector stores and files, regardless of their assigned permissions.

FlowiseAI is vulnerable to cross-workspace data takeover due to mass assignment in the CustomTemplate controller, allowing an attacker to move templates to other workspaces by overwriting the `workspaceId` via API request.

FlowiseAI is vulnerable to a mass assignment vulnerability (fixed in PR 6050) that allows authenticated users to move Evaluation entities between workspaces by overwriting the `workspaceId` field via API request, leading to unauthorized data access.

FlowiseAI is vulnerable to a mass assignment vulnerability in the Evaluator controller/service, where an attacker can manipulate the `workspaceId` during evaluator creation or updates, leading to cross-workspace data takeover and IDOR.

This rule detects allowed updates to Kubernetes pods/ephemeralcontainers subresource by non-system identities, which can be abused for privilege escalation, lateral movement, or persistence by injecting tooling into running pods.

Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager could allow a remote attacker to gain access to sensitive information, elevate privileges, or gain unauthorized access to the application.

A vulnerability in the peering authentication of Cisco Catalyst SD-WAN Controller and Manager (CVE-2026-20182) could allow a remote, unauthenticated attacker to bypass authentication and obtain administrative privileges by sending crafted requests.

Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with a principal via the EKS Access Entries API, effectively granting full cluster-admin access and enabling potential privilege escalation and persistence.

Successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster, potentially indicating persistence or privilege escalation are detected.

This rule detects modifications to the aws-auth ConfigMap in Amazon EKS clusters, enabling attackers to grant cluster-admin access by mapping AWS IAM roles to the system:masters group, achieving persistence and privilege escalation.

A mass assignment vulnerability exists in FlowiseAI's chatflow update endpoint (CVE-2026-42863), allowing authenticated users to modify server-controlled properties like `deployed`, `isPublic`, and `workspaceId` due to missing server-side validation, leading to cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings.

Detection of non-system identities using the Kubernetes nodes/proxy API to proxy requests through the API server directly to a node's Kubelet, potentially leading to privilege escalation and sensitive information exposure.

Detects creation or approval of a Kubernetes CertificateSigningRequest (CSR) by a non-system identity, indicating an attacker attempting to obtain a long-lived client certificate for persistent cluster access with elevated privileges.

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in versions up to 5.1.2 due to missing authorization checks in the infusedwoo_gdpr_upddata() function, allowing authenticated attackers to grant themselves administrator privileges.

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler, allowing unauthenticated attackers to create malicious automation recipes for auto-login actions.

The Burst Statistics plugin for WordPress is vulnerable to authentication bypass, allowing unauthenticated attackers with knowledge of an administrator username to impersonate that administrator by supplying a random Basic Authentication password, leading to privilege escalation.

Quark Drive before version 0.8.5 is vulnerable to a mass assignment vulnerability (CVE-2026-45229) in the POST /update endpoint, where authenticated attackers can overwrite administrator credentials, gaining persistent access to configured tasks, cloud tokens, and notification services.

A zero-click exploit chain was developed for the Google Pixel 10, achieving root access on Android by exploiting a patched Dolby vulnerability (CVE-2025-54957) and a memory mapping vulnerability in the Chips&Media Wave677DV video processing unit (VPU) driver.

IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service, allowing local attackers to escalate privileges to SYSTEM by placing a malicious executable in the service's path.

CVE-2026-42930 allows an authenticated attacker with 'Administrator' privileges to bypass Appliance mode restrictions on F5 BIG-IP systems.

CVE-2026-42924 allows an authenticated attacker with Resource Administrator or Administrator privileges to escalate privileges by creating malicious SNMP configuration objects through iControl SOAP.

CVE-2026-42406 allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects in F5 BIG-IP and BIG-IQ systems, leading to arbitrary command execution.

CVE-2026-41953 describes a privilege escalation vulnerability in F5 BIG-IP systems where a highly privileged, authenticated attacker with the Resource Administrator role can modify configuration objects, leading to elevated privileges within the system.

CVE-2026-41217 is a vulnerability in an undisclosed F5 BIG-IP TMOS Shell (tmsh) command that allows an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges, potentially crossing a security boundary in Appliance mode deployments.

CVE-2026-40698 allows a highly privileged, authenticated attacker with Resource Administrator privileges in F5 BIG-IP and BIG-IQ systems to create SNMP configuration objects via iControl REST or TMOS shell (tmsh), resulting in privilege escalation.

An authenticated attacker with Resource Administrator or Administrator roles can modify configuration objects through iControl SOAP in F5 products, leading to privilege escalation via CVE-2026-40631.

CVE-2026-40061 is a vulnerability in F5 BIG-IP DNS that allows an authenticated attacker with Resource Administrator or Administrator privileges to execute arbitrary system commands with elevated privileges via undisclosed iControl REST and TMOS Shell (tmsh) commands, potentially crossing security boundaries in Appliance mode deployments.

CVE-2026-39459 describes a vulnerability in F5's iControl REST and TMOS Shell (tmsh) where a privileged, authenticated attacker with at least the Manager role can execute arbitrary commands by creating malicious configuration objects.

CVE-2026-32673 allows an authenticated attacker with Resource Administrator or Administrator roles to execute arbitrary system commands with higher privileges in F5 BIG-IP scripted monitors, potentially crossing a security boundary in appliance mode deployments.

CVE-2026-32643 describes a vulnerability in F5 BIG-IP and BIG-IQ systems that allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects, leading to arbitrary command execution.

CVE-2026-20916 describes a vulnerability in F5 BIG-IQ where an authenticated user with low privileges can create or modify arbitrary files via an undisclosed iControl REST endpoint, potentially leading to privilege escalation or system compromise.

A local privilege escalation vulnerability exists in Palo Alto Networks Prisma Access Agent versions prior to 26.2.1 on Linux, macOS, and Windows, allowing a locally authenticated non-administrative user to gain root or NT AUTHORITY\SYSTEM privileges and execute arbitrary code.

Multiple local privilege escalation vulnerabilities exist in Palo Alto Networks GlobalProtect App, allowing a local user to escalate privileges to NT AUTHORITY\SYSTEM on Windows and root on macOS and Linux, enabling arbitrary command execution with administrative privileges.

Multiple authorization bypass vulnerabilities exist in the Endpoint DLP component of Prisma Access Agent, allowing a local attacker to bypass authentication controls and execute privileged operations on macOS and Windows systems with Endpoint DLP enabled; versions prior to 26.2.1 are affected.

The ProfileGrid WordPress plugin versions up to 5.9.8.4 contain an authentication bypass vulnerability (CVE-2026-4609) that allows authenticated users with subscriber-level privileges to add themselves or others to arbitrary groups, including paid groups, without proper authorization, leading to privilege escalation and potential financial impact.

Obot version 0.21.0 has an authorization bypass vulnerability in the `/mcp-connect/{id}` endpoint allowing any authenticated user to connect to any registered MCP server, regardless of permissions, leading to unauthorized access and actions on upstream services.

A user with permissions to modify GitRepository records can manipulate the `current_head` field via the REST API in Nautobot, leading to repository state desynchronization or unavailability; this is remediated in versions 2.4.33 and 3.1.2.

A new local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem, named "Fragnesia," allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption.

An anonymous remote attacker can exploit multiple vulnerabilities in Kiali for Red Hat OpenShift Service Mesh to gain extended privileges, bypass security measures, manipulate or disclose data, or cause a denial-of-service condition.

A local attacker can exploit multiple vulnerabilities in Zoom Video Communications Workplace and Zoom Video Communications Rooms to disclose information or escalate privileges.

An authenticated remote attacker can exploit a vulnerability in Fortinet FortiOS to escalate their privileges.

A remote, authenticated attacker can exploit a vulnerability in Microsoft SQL Server 2017, 2019, 2016 and 2022 to execute arbitrary code and gain administrator privileges.

Multiple vulnerabilities in Microsoft developer tools and platforms could allow an attacker to achieve arbitrary code execution, data manipulation, privilege escalation, bypassing security measures, information disclosure, and denial of service.

Multiple vulnerabilities in Microsoft Azure and Windows Admin Center allow an attacker to escalate privileges, spoof information, and bypass security measures.

A local attacker can exploit a vulnerability in Intel Server Firmware Update Utility Software to escalate their privileges on the targeted system.

A remote memory corruption vulnerability exists in Linux ksmbd that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID, potentially leading to kernel instability, denial of service, or privilege escalation.

Identifies the creation of a Windows service by an unusual client process, which can be leveraged to escalate privileges from administrator to SYSTEM by exploiting misconfigurations or vulnerabilities in the service creation process.

This rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.

An adversary may attempt privilege escalation by masquerading as a known named pipe and manipulating a privileged process to connect to it on Windows systems.

This rule detects parent process spoofing used to create an elevated child process, specifically targeting privilege escalation to SYSTEM, where adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges on Windows systems.

Detects attempts to bypass User Account Control (UAC) by masquerading as a trusted Microsoft Windows directory, abusing a trailing-space in the path to execute code with elevated privileges.

Detects User Account Control (UAC) bypass attempts using eventvwr.exe to execute code with elevated permissions by identifying child processes of eventvwr.exe, excluding mmc.exe and WerFault.exe, which may indicate unauthorized privilege escalation.

Detects User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface, where attackers may attempt to stealthily execute code with elevated permissions, potentially leading to privilege escalation.

This rule detects potential privilege escalation attempts by exploiting CVE-2021-42278, which involves spoofing the samAccountName attribute to impersonate a domain controller and elevate privileges from a standard domain user to a domain administrator by identifying suspicious computer account name rename events where a machine account name is renamed to a user-like account name.

A privilege escalation attempt is detected through modification of the Windows directory (Windir) environment variable, a technique often combined with other vulnerabilities to elevate privileges by redirecting system processes.

Adversaries may escalate privileges by abusing named pipe impersonation, a technique often used with tools like Metasploit's meterpreter getsystem command, where a process writes to a named pipe to facilitate a SYSTEM-token handoff.

The rule detects a local successful logon event with Kerberos authentication from localhost, followed by service creation from the same LogonId, indicating a potential Kerberos relay attack for local privilege escalation to LocalSystem.

This rule detects potential exploitation of the InstallerTakeOver vulnerability (CVE-2021-41379), where successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.

Detects modifications to Group Policy Object Attributes that grant privileges to user accounts or add users as local administrators, indicating potential privilege escalation attempts.

Detects the creation of a delegated Managed Service Account (dMSA) by an unusual subject account, potentially indicating an attempt to abuse weak permissions for privilege escalation in Active Directory.

Detection of modifications to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account (dMSA) by an unusual subject account, which attackers can abuse to inherit permissions and elevate privileges in Active Directory.

CVE-2026-40410 is a use-after-free vulnerability in the Windows SMB Client that allows an authorized attacker to elevate privileges locally.

CVE-2026-42896 describes an integer overflow vulnerability in the Windows DWM Core Library, allowing an authorized local attacker to elevate privileges.

CVE-2026-42825 is a use-after-free vulnerability in the Windows Telephony Service that allows an authorized, local attacker to elevate privileges.

CVE-2026-41613 is a session fixation vulnerability in Visual Studio Code that allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-41095 is a use-after-free vulnerability in the Data Deduplication component of Windows that allows an authenticated attacker to elevate privileges locally.

CVE-2026-41088 is a vulnerability in Windows Ancillary Function Driver for WinSock that allows an authorized attacker to elevate privileges locally due to external control of file name or path.

CVE-2026-41086 describes an improper access control vulnerability in Windows Admin Center, allowing an authorized attacker to elevate privileges over a network.

CVE-2026-40420 is an improper access control vulnerability in Microsoft Office Click-To-Run allowing an authorized attacker to elevate privileges locally.

CVE-2026-40419 is a use-after-free vulnerability in Microsoft Office that allows an authenticated, local attacker to elevate privileges.

CVE-2026-40418 is a use-after-free vulnerability in Microsoft Office Click-To-Run that allows an authorized attacker to elevate privileges locally.

CVE-2026-40417 is a privilege escalation vulnerability affecting Microsoft Dynamics Business Central due to weak authentication, allowing an authorized attacker to elevate privileges locally.

CVE-2026-40408 is a use-after-free vulnerability in Windows Kernel-Mode Drivers, enabling a locally authenticated attacker to elevate privileges.

CVE-2026-40407 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) Driver, enabling a locally authenticated attacker to escalate privileges on the system.

CVE-2026-40399 is a stack-based buffer overflow vulnerability in the Windows TCP/IP stack, allowing an authenticated local attacker to elevate privileges.

CVE-2026-40398 is a heap-based buffer overflow vulnerability in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally.

CVE-2026-40397 is an integer underflow vulnerability in the Windows Common Log File System (CLFS) driver that allows an authenticated attacker to escalate privileges locally.

CVE-2026-40382 is a use-after-free vulnerability in the Windows Telephony Service that allows an authorized attacker to elevate privileges locally.

CVE-2026-40381 is a vulnerability in the Azure Connected Machine Agent that allows an authorized attacker to elevate privileges locally due to improper access control.

CVE-2026-40377 is a heap-based buffer overflow vulnerability in Windows Cryptographic Services, allowing an authorized local attacker to elevate privileges.

CVE-2026-40369 is an untrusted pointer dereference vulnerability in the Windows Kernel that allows a locally authorized attacker to escalate privileges.

CVE-2026-42823 is a critical vulnerability in Azure Logic Apps that allows an authorized attacker to elevate privileges over a network due to improper access control.

CVE-2026-41103 describes an incorrect implementation of the authentication algorithm in Microsoft SSO Plugin for Jira & Confluence, allowing an unauthorized attacker to elevate privileges over a network.

CVE-2026-40402 is a use-after-free vulnerability in Windows Hyper-V, enabling an unauthorized local attacker to escalate privileges.

CVE-2026-40361 is a use-after-free vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally.

CVE-2026-35438 is a missing authorization vulnerability in Windows Admin Center that allows an authorized attacker to elevate privileges over a network.

CVE-2026-35436 is a privilege escalation vulnerability in Microsoft Office Click-To-Run due to insufficient granularity of access control, allowing an authorized attacker to elevate privileges locally.

CVE-2026-35433 is a local privilege escalation vulnerability in .NET due to improper input validation, allowing an unauthorized attacker to elevate privileges.

CVE-2026-35420 is a heap-based buffer overflow vulnerability in the Windows Kernel that allows an authorized local attacker to elevate privileges.

CVE-2026-35418 is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver that allows an authorized local attacker to elevate privileges.

CVE-2026-35417 is a type confusion vulnerability in Windows Win32K - ICOMP that allows an authorized attacker to elevate privileges locally.

CVE-2026-35416 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, enabling a locally authorized attacker to escalate privileges.

CVE-2026-35415 is an integer overflow vulnerability in the Windows Storage Spaces Controller that allows a locally authorized attacker to elevate privileges.

CVE-2026-34351 is a race condition vulnerability in Windows TCP/IP that allows an authorized attacker to elevate privileges locally.

CVE-2026-34347 is a use-after-free vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to elevate privileges.

CVE-2026-34345 describes a race condition vulnerability in Windows Ancillary Function Driver for WinSock, allowing an authorized attacker to elevate privileges locally.

CVE-2026-34344 is a type confusion vulnerability in the Windows Ancillary Function Driver for WinSock, allowing an authorized local attacker to elevate privileges.

CVE-2026-34343 is a heap-based buffer overflow vulnerability in the Windows Application Identity (AppID) Subsystem that allows an authorized attacker to elevate privileges locally.

CVE-2026-34342 is a race condition vulnerability in Windows Print Spooler Components that allows an authorized attacker to elevate privileges locally.