Search Results (1916 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-38294 2026-04-15 6.1 Medium
Certain software builds for the Itel Vision 3 Turbo Android device contain a vulnerable pre-installed app with a package name of com.transsion.autotest.factory (versionCode='7', versionName='1.8.0(220310_1027)') that allows local third-party apps to execute arbitrary shell commands in its context (system user) due to inadequate access control. No permissions or special privileges are necessary to exploit the vulnerability in the com.transsion.autotest.factory app. No user interaction is required beyond installing and running a third-party app. The vulnerability allows local apps to access sensitive functionality that is generally restricted to pre-installed apps, such as programmatically performing the following actions: granting arbitrary permissions (which can be used to obtain sensitive user data), installing arbitrary apps, video recording the screen, wiping the device (removing the user's apps and data), injecting arbitrary input events, calling emergency phone numbers, disabling apps, accessing notifications, and much more. The confirmed vulnerable software build fingerprints for the Itel Vision 3 Turbo device are as follows: Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V92-20230105:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V86-20221118:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V78-20221101:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V64-20220803:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V61-20220721:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V58-20220712:user/release-keys, and Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V051-20220613:user/release-keys. This malicious app sends a broadcast Intent to the receiver component named com.transsion.autotest.factory/.broadcast.CommandReceiver with the path to a shell script that it creates in its scoped storage directory. Then the com.transsion.autotest.factory app will execute the shell script with "system" privileges.
CVE-2024-36339 2026-04-15 7.3 High
A DLL hijacking vulnerability in the AMD Optimizing CPU Libraries could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2025-20629 2026-04-15 6.7 Medium
Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-48823 1 Automatic Systems 1 Maintenance Slimlane 2026-04-15 9.8 Critical
Local file inclusion in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the PassageAutoServer.php page.
CVE-2025-11575 2 Microsoft, Mongodb 2 Windows, Mongodb 2026-04-15 7.8 High
Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0.
CVE-2024-48822 1 Automatic Systems 1 Maintenance Slimlane 2026-04-15 8.8 High
Privilege escalation in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the FtpConfig.php page.
CVE-2024-23847 1 Yokogawa Rental Lease Corporation 1 Unifier 2026-04-15 5.9 Medium
Incorrect default permissions issue exists in Unifier and Unifier Cast. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be altered or deleted.
CVE-2025-13193 1 Redhat 1 Enterprise Linux 2026-04-15 5.5 Medium
A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.
CVE-2024-51162 1 Audimex 1 Audimexee 2026-04-15 8.8 High
An issue in Audimex EE versions 15.1.20 and earlier allowing a remote attacker to escalate privileges. Analyzing the offline client code, it was identified that it is possible for any user (with any privilege) of Audimex to dump the whole Audimex database. This gives visibility upon password hashes of any user, ongoing audit data and more.
CVE-2025-20095 2026-04-15 6.7 Medium
Incorrect Default Permissions for some Intel(R) RealSenseā„¢ SDK software before version 2.56.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2026-28553 1 Huawei 2 Emui, Harmonyos 2026-04-14 6.9 Medium
Vulnerability of improper permission control in the theme setting module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2026-4722 1 Mozilla 1 Firefox 2026-04-14 8.8 High
Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
CVE-2026-34450 2 Anthropic, Anthropics 2 Claude Sdk For Python, Anthropic-sdk-python 2026-04-14 4.4 Medium
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0.
CVE-2026-26131 2 Linux, Microsoft 2 Linux Kernel, .net 2026-04-14 7.8 High
Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally.
CVE-2026-25203 1 Samsung Electronics 1 Magicinfo 9 Server 2026-04-14 7.8 High
Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability This issue affects MagicINFO 9 Server: less than 21.1091.1.
CVE-2023-5042 2 Acronis, Microsoft 2 Cyber Protect Home Office, Windows 2026-04-10 7.5 High
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713, Acronis True Image OEM (Windows) before build 42575.
CVE-2024-11088 2 Mra13, Simple-membership-plugin 2 Simple Membership, Simple Membership 2026-04-08 5.3 Medium
The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
CVE-2024-11089 1 Cayenne 1 Anonymous Restricted Content 2026-04-08 5.3 Medium
The Anonymous Restricted Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to logged-in users.
CVE-2024-9947 2 Profilepress, Properfraction 2 Profilepress, Profilepress 2026-04-08 8.1 High
The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
CVE-2026-35535 1 Sudo Project 1 Sudo 2026-04-07 7.4 High
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.