Total
2269 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14975 | 2026-01-29 | N/A | 8.1 HIGH | ||
| The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | |||||
| CVE-2025-13292 | 2026-01-29 | N/A | N/A | ||
| A vulnerability in Apigee-X allowed an attacker to gain unauthorized read and write access to Apigee Analytics (AX) data and access logs belonging to other Apigee customer organizations. Apigee-X was found to be vulnerable. This vulnerability was patched in version 1-16-0-apigee-3. No user action is required for this. | |||||
| CVE-2026-22039 | 2026-01-29 | N/A | 9.9 CRITICAL | ||
| Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. | |||||
| CVE-2025-13917 | 2026-01-29 | N/A | 7.0 HIGH | ||
| WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | |||||
| CVE-2025-13918 | 2026-01-29 | N/A | 6.7 MEDIUM | ||
| Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | |||||
| CVE-2026-21957 | 1 Oracle | 1 Vm Virtualbox | 2026-01-29 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | |||||
| CVE-2026-21963 | 1 Oracle | 1 Vm Virtualbox | 2026-01-29 | N/A | 6.0 MEDIUM |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | |||||
| CVE-2026-21981 | 1 Oracle | 1 Vm Virtualbox | 2026-01-29 | N/A | 4.6 MEDIUM |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L). | |||||
| CVE-2026-21983 | 1 Oracle | 1 Vm Virtualbox | 2026-01-29 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | |||||
| CVE-2023-23428 | 1 Honor | 1 Magicos | 2026-01-27 | N/A | 3.3 LOW |
| Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions. | |||||
| CVE-2023-23429 | 1 Honor | 1 Magicos | 2026-01-27 | N/A | 4.0 MEDIUM |
| Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions. | |||||
| CVE-2023-23427 | 1 Honor | 1 Magicos | 2026-01-27 | N/A | 4.0 MEDIUM |
| Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions. | |||||
| CVE-2025-39202 | 1 Hitachienergy | 1 Microscada X Sys600 | 2026-01-26 | N/A | 7.3 HIGH |
| A vulnerability exists in in the Monitor Pro interface of the MicroSCADA X SYS600 product. An authenticated user with low privileges can see and overwrite files causing information leak and data corruption. | |||||
| CVE-2026-23477 | 1 Rocket.chat | 1 Rocket.chat | 2026-01-26 | N/A | 7.7 HIGH |
| Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0. | |||||
| CVE-2026-21223 | 2026-01-26 | N/A | 5.1 MEDIUM | ||
| Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass. | |||||
| CVE-2025-15403 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
| The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user. | |||||
| CVE-2025-14533 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
| The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field. | |||||
| CVE-2026-23990 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
| The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue. | |||||
| CVE-2026-0920 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
| The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site. | |||||
| CVE-2025-66428 | 2026-01-26 | N/A | 8.8 HIGH | ||
| An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation. | |||||