Total
2731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43308 | 1 Intelbras | 4 Sg 2404 Mr, Sg 2404 Mr Firmware, Sg 2404 Poe and 1 more | 2025-04-30 | N/A | 7.8 HIGH |
| INTELBRAS SG 2404 MR 20180928-rel64938 allows authenticated attackers to arbitrarily create Administrator accounts via crafted user cookies. | |||||
| CVE-2022-43138 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2025-04-30 | N/A | 9.8 CRITICAL |
| Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. | |||||
| CVE-2021-3919 | 1 Hp | 106 Command Center, Envy 13t-bd100, Envy 13z-ay100 and 103 more | 2025-04-29 | N/A | 9.8 CRITICAL |
| A potential security vulnerability has been identified in OMEN Gaming Hub and in HP Command Center which may allow escalation of privilege and/or denial of service. HP has released software updates to mitigate the potential vulnerability. | |||||
| CVE-2025-3761 | 2025-04-29 | N/A | 8.8 HIGH | ||
| The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator. | |||||
| CVE-2025-3101 | 2025-04-29 | N/A | 8.8 HIGH | ||
| The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change escalate their privileges to Administrator. | |||||
| CVE-2025-2238 | 2025-04-29 | N/A | 8.8 HIGH | ||
| The Vikinger theme for WordPress is vulnerable to privilege in all versions up to, and including, 1.9.30. This is due to insufficient user_meta restrictions in the 'vikinger_user_meta_update_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator-level. | |||||
| CVE-2024-42798 | 1 Lopalopa | 1 Music Management System | 2025-04-28 | N/A | 7.6 HIGH |
| An Incorrect Access Control vulnerability was found in /music/index.php?page=user_list and /music/index.php?page=edit_user in Kashipara Music Management System v1.0. This allows a low privileged attacker to take over the administrator account. | |||||
| CVE-2024-42995 | 1 Vtiger | 1 Vtiger Crm | 2025-04-28 | N/A | 8.3 HIGH |
| VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules. | |||||
| CVE-2023-38614 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-04-25 | N/A | 4.3 MEDIUM |
| A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to access sensitive user data. | |||||
| CVE-2025-28399 | 1 Exrick | 1 Xmall | 2025-04-25 | N/A | 9.8 CRITICAL |
| An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class. | |||||
| CVE-2022-46410 | 1 Veritas | 1 Netbackup Flex Scale Appliance | 2025-04-24 | N/A | 8.8 HIGH |
| An issue was discovered in Veritas NetBackup Flex Scale through 3.0. An attacker with non-root privileges may escalate privileges to root by using specific commands. | |||||
| CVE-2022-32633 | 3 Google, Mediatek, Yoctoproject | 50 Android, Mt6580, Mt6739 and 47 more | 2025-04-24 | N/A | 6.7 MEDIUM |
| In Wi-Fi, there is a possible memory access violation due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441637; Issue ID: ALPS07441637. | |||||
| CVE-2024-37858 | 1 Oretnom23 | 1 Lost And Found Information System | 2025-04-23 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php. | |||||
| CVE-2022-3641 | 1 Devolutions | 1 Remote Desktop Manager | 2025-04-23 | N/A | 8.8 HIGH |
| Elevation of privilege in the Azure SQL Data Source in Devolutions Remote Desktop Manager 2022.3.13 to 2022.3.24 allows an authenticated user to spoof a privileged account. | |||||
| CVE-2025-32955 | 2025-04-23 | N/A | 6.0 MEDIUM | ||
| Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. This issue has been patched in version 2.12.0. | |||||
| CVE-2022-42796 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-04-22 | N/A | 7.8 HIGH |
| This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 15.7 and iPadOS 15.7, macOS Ventura 13. An app may be able to gain elevated privileges. | |||||
| CVE-2024-49742 | 1 Google | 1 Android | 2025-04-22 | N/A | 7.8 HIGH |
| In onCreate of NotificationAccessConfirmationActivity.java , there is a possible way to hide an app with notification access in Settings due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-28237 | 2025-04-22 | N/A | 8.8 HIGH | ||
| An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload. | |||||
| CVE-2023-41076 | 1 Apple | 1 Macos | 2025-04-21 | N/A | 7.3 HIGH |
| An app may be able to elevate privileges. This issue is fixed in macOS 14. This issue was addressed by removing the vulnerable code. | |||||
| CVE-2022-42855 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-04-21 | N/A | 7.1 HIGH |
| A logic issue was addressed with improved state management. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2. An app may be able to use arbitrary entitlements. | |||||