Total
40 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63291 | 1 Alteryx | 1 Alteryx Server | 2026-06-01 | N/A | 5.4 MEDIUM |
| When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys. | |||||
| CVE-2026-9560 | 1 Openvpn | 1 Connect | 2026-05-27 | N/A | 7.8 HIGH |
| Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel | |||||
| CVE-2023-4972 | 1 Yepas | 1 Digital Yepas | 2026-05-21 | N/A | 9.8 CRITICAL |
| Incorrect Use of Privileged APIs vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users. This issue affects Digital Yepas: before 1.0.1. | |||||
| CVE-2023-6151 | 1 Eskom | 1 E-belediye | 2026-05-20 | N/A | 7.5 HIGH |
| Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users. This issue affects e-municipality module: before v.105. | |||||
| CVE-2023-6150 | 1 Eskom | 1 E-belediye | 2026-05-20 | N/A | 7.5 HIGH |
| Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users. This issue affects e-municipality module: before v.105. | |||||
| CVE-2023-4993 | 1 Utarit | 1 Solipay Mobile | 2026-05-20 | N/A | 7.5 HIGH |
| Incorrect Use of Privileged APIs vulnerability in Utarit Information Technologies SoliPay Mobile App allows Collect Data as Provided by Users. This issue affects SoliPay Mobile App: before 5.0.8. | |||||
| CVE-2023-6522 | 2026-05-20 | N/A | 7.2 HIGH | ||
| Incorrect Use of Privileged APIs vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users. This issue affects Extreme XDS: before 3914. | |||||
| CVE-2026-41225 | 2026-05-13 | N/A | 9.1 CRITICAL | ||
| A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2026-41386 | 1 Openclaw | 1 Openclaw | 2026-05-01 | N/A | 9.1 CRITICAL |
| OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope. | |||||
| CVE-2026-41329 | 1 Openclaw | 1 Openclaw | 2026-04-27 | N/A | 9.9 CRITICAL |
| OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation. | |||||
| CVE-2026-20122 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2026-04-21 | N/A | 5.4 MEDIUM |
| A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges. | |||||
| CVE-2026-35625 | 1 Openclaw | 1 Openclaw | 2026-04-16 | N/A | 7.8 HIGH |
| OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local reconnection to silently escalate privileges and achieve remote code execution on the node. | |||||
| CVE-2026-35645 | 1 Openclaw | 1 Openclaw | 2026-04-15 | N/A | 8.1 HIGH |
| OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope. | |||||
| CVE-2026-35639 | 1 Openclaw | 1 Openclaw | 2026-04-15 | N/A | 8.8 HIGH |
| OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure. | |||||
| CVE-2025-2311 | 2026-04-15 | N/A | 9.0 CRITICAL | ||
| Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.This issue affects SecHard: before 3.3.0.20220411. | |||||
| CVE-2024-53007 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call. | |||||
| CVE-2025-1161 | 2026-04-15 | N/A | 7.1 HIGH | ||
| Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation.This issue affects Nomysem: through May 2025. | |||||
| CVE-2025-5997 | 2026-04-15 | N/A | 8.8 HIGH | ||
| Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse.This issue affects PhishPro: before 7.5.4.2. | |||||
| CVE-2024-32008 | 2026-04-15 | N/A | 7.8 HIGH | ||
| A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to an exposed debug interface on the localhost. This allows any local user to gain code execution as administrative application user. | |||||
| CVE-2024-37018 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets. | |||||