Total
1449 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-44786 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Incorrect access control in Meabilis CMS 1.0 allows attackers to access other users' address books via unspecified vectors. | |||||
| CVE-2024-46463 | 2026-04-15 | N/A | 7.8 HIGH | ||
| By default, dedicated folders of ORIZON for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Configuration of ORIZON has to be modified to prevent this vulnerability. | |||||
| CVE-2025-36522 | 2026-04-15 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions for some Intel(R) Chipset Software before version 10.1.20266.8668 or later. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | |||||
| CVE-2025-57852 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| A container privilege escalation flaw was found in KServe ModelMesh container images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | |||||
| CVE-2025-8069 | 2026-04-15 | N/A | 7.8 HIGH | ||
| During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file. As a result, a non-admin user could place arbitrary code in the configuration file. If an admin user starts the AWS Client VPN client installation process, that code could be executed with root-level privileges. This issue does not affect Linux or Mac devices. We recommend users discontinue any new installations of AWS Client VPN on Windows prior to version 5.2.2. | |||||
| CVE-2025-20087 | 2026-04-15 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions for some Intel(R) oneAPI DPC++/C++ Compiler software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2024-46624 | 2026-04-15 | N/A | 8.8 HIGH | ||
| An issue in InfoDom Performa 365 v4.0.1 allows authenticated attackers to elevate their privileges to Administrator via a crafted payload sent to /api/users. | |||||
| CVE-2025-7195 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | |||||
| CVE-2024-42419 | 2026-04-15 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions for some Intel(R) GPA and Intel(R) GPA Framework software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2025-49006 | 2026-04-15 | N/A | N/A | ||
| Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration. | |||||
| CVE-2024-0245 | 2026-04-15 | N/A | 5.5 MEDIUM | ||
| A misconfiguration in the AndroidManifest.xml file in hamza417/inure before build97 allows for task hijacking. This vulnerability permits malicious applications to inherit permissions of the vulnerable app, potentially leading to the exposure of sensitive information. An attacker can create a malicious app that hijacks the legitimate Inure app, intercepting and stealing sensitive information when installed on the victim's device. This issue affects all Android versions before Android 11. | |||||
| CVE-2024-30977 | 2026-04-15 | N/A | 7.8 HIGH | ||
| An issue in Secnet Security Network Intelligent AC Management System v.1.02.040 allows a local attacker to escalate privileges via the password component. | |||||
| CVE-2025-4412 | 2026-04-15 | N/A | N/A | ||
| On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity's TCC (Transparency, Consent, and Control) identity. The acquired resource access is limited without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 1.11.5 of Viscosity. | |||||
| CVE-2025-27711 | 2026-04-15 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | |||||
| CVE-2025-53813 | 2026-04-15 | N/A | N/A | ||
| The configuration of Nozbe on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Nozbe TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 2025.11 of Nozbe. | |||||
| CVE-2025-40585 | 2026-04-15 | N/A | 9.9 CRITICAL | ||
| A vulnerability has been identified in Energy Services (All versions with G5DFR). Affected solutions using G5DFR contain default credentials. This could allow an attacker to gain control of G5DFR component and tamper with outputs from the device. | |||||
| CVE-2025-24891 | 2026-04-15 | N/A | 9.6 CRITICAL | ||
| Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN. | |||||
| CVE-2025-20023 | 2026-04-15 | N/A | 6.7 MEDIUM | ||
| Incorrect default permissions for some Intel(R) Graphics Driver software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2025-4081 | 2026-04-15 | N/A | N/A | ||
| Use of entitlement "com.apple.security.cs.disable-library-validation" and lack of launch and library load constraints allows to substitute a legitimate dylib with malicious one. A local attacker with unprivileged access can execute the application with altered dynamic library successfully bypassing Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue affects DaVinci Resolve on macOS in all versions. Last tested version: 19.1.3 | |||||
| CVE-2024-10183 | 2026-04-15 | N/A | N/A | ||
| A vulnerability in Jamf Pro's Jamf Remote Assist tool allows a local, non-privileged user to escalate their privileges to root on MacOS systems. | |||||