Total
109 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23857 | 1 Dell | 1 Update Package Framework | 2026-06-17 | N/A | 8.2 HIGH |
| Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | |||||
| CVE-2026-21736 | 1 Imaginationtech | 1 Ddk | 2026-06-17 | N/A | 4.4 MEDIUM |
| Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory. This is caused by improper handling of the memory protections for the user-mode wrapped memory resource. | |||||
| CVE-2026-20817 | 1 Microsoft | 8 Windows 10 21h2, Windows 10 22h2, Windows 11 23h2 and 5 more | 2026-06-17 | N/A | 7.8 HIGH |
| Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-1772 | 1 Hitachienergy | 8 Rtu520, Rtu520 Firmware, Rtu530 and 5 more | 2026-06-17 | N/A | 5.3 MEDIUM |
| RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges. | |||||
| CVE-2026-0047 | 1 Google | 1 Android | 2026-06-17 | N/A | 8.4 HIGH |
| In dumpBitmapsProto of ActivityManagerService.java, there is a possible way for an app to access private information due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-8109 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Software installed and run as a non-privileged user may conduct ptrace system calls to issue writes to GPU origin read only memory. | |||||
| CVE-2025-6573 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE). | |||||
| CVE-2025-67848 | 1 Moodle | 1 Moodle | 2026-06-17 | N/A | 8.1 HIGH |
| A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted. | |||||
| CVE-2025-64997 | 1 Checkmk | 1 Checkmk | 2026-06-17 | N/A | 6.5 MEDIUM |
| Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure. | |||||
| CVE-2025-62510 | 1 Filerise | 1 Filerise | 2026-06-17 | N/A | 8.1 HIGH |
| FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or interact with folders matching their username and, in some cases, other users’ content. This issue has been patched in version 1.5.0, where it introduces explicit per-folder ACLs (owners/read/write/share/read_own) and strict server-side checks across list, read, write, share, rename, copy/move, zip, and WebDAV paths. | |||||
| CVE-2025-62509 | 1 Filerise | 1 Filerise | 2026-06-17 | N/A | 8.1 HIGH |
| FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized operations (view/delete/modify) on files created by other users. The root cause was inferring ownership/visibility from folder names (e.g., a folder named after a username) and missing server-side authorization/ownership checks across file operation endpoints. This amounted to an IDOR pattern: an attacker could operate on resources identified only by predictable names. This issue has been patched in version 1.4.0 and further hardened in version 1.5.0. A workaround for this issue involves restricting non-admin users to read-only or disable delete/rename APIs server-side, avoid creating top-level folders named after other usernames, and adding server-side checks that verify ownership before delete/rename/move. | |||||
| CVE-2025-62176 | 1 Joinmastodon | 1 Mastodon | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allows OAuth clients without the read scope to subscribe to public channels and receive public timeline events. The impact is limited, as this only affects new public posts published on the public timelines and requires an otherwise valid token, but this may lead to unexpected access to public posts in a limited-federation setting. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist. | |||||
| CVE-2025-59040 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. Backlog item representations do not verify the permissions of the child trackers. Users might see tracker names they should not have access to. This vulnerability is fixed in Tuleap Community Edition 16.11.99.1757427600 and Tuleap Enterprise Edition 16.11-6 and 16.10-8. | |||||
| CVE-2025-58770 | 1 Ami | 1 Aptio V | 2026-06-17 | N/A | 8.8 HIGH |
| APTIOV contains a vulnerability in BIOS where a user may cause “Improper Handling of Insufficient Permissions or Privileges” by local access. Successful exploitation of this vulnerability can lead to escalation of authorization and potentially impact Integrity and Availability. | |||||
| CVE-2025-58457 | 1 Apache | 1 Zookeeper | 2026-06-17 | N/A | 4.3 MEDIUM |
| Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open permissions. (Note that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides notifications from recursive watches.) | |||||
| CVE-2025-58410 | 1 Imaginationtech | 1 Ddk | 2026-06-17 | N/A | 7.5 HIGH |
| Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only. This is caused by improper handling of the memory protections for the buffer resource. | |||||
| CVE-2025-58122 | 1 Checkmk | 1 Checkmk | 2026-06-17 | N/A | 5.4 MEDIUM |
| Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure. | |||||
| CVE-2025-58121 | 1 Checkmk | 1 Checkmk | 2026-06-17 | N/A | 5.4 MEDIUM |
| Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information | |||||
| CVE-2025-50170 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2026-06-17 | N/A | 7.8 HIGH |
| Improper handling of insufficient permissions or privileges in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-49731 | 1 Microsoft | 1 Teams | 2026-06-17 | N/A | 3.1 LOW |
| Improper handling of insufficient permissions or privileges in Microsoft Teams allows an authorized attacker to elevate privileges over a network. | |||||