2475 matches found
WordPress LA-Studio Element Kit for Elementor plugin <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter vulnerability
Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakitbkrole parameter vulnerability discovered by WordFence in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.5.6.3...
CVE-2021-47852
CVE-2021-47852 affects Rockstar Games Launcher 1.0.37.349. The issue is an insecure permission configuration on the RockstarService.exe binary, allowing authenticated users to replace it with a malicious binary, which yields a new administrator user and elevated system access. Root cause: weak pe...
CVE-2026-21664
HackerOne community member Huynh Pham Thanh Luc nigh7c0r3 has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent ...
CVE-2026-21664
HackerOne community member Huynh Pham Thanh Luc nigh7c0r3 has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent ...
PT-2026-3659
HackerOne community member Patrick Lang 7yr has reported a reflected XSS vulnerability in the banner-acl.php and channel-acl.php scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is...
CVE-2026-23877 Directory Traversal & Filesystem can be accessed by a non-admin user
Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server...
CVE-2026-21223
Improper privilege management in Microsoft Edge Chromium-based allows an authorized attacker to bypass a security feature locally...
CVE-2026-22238
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...
CVE-2026-22238
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...
CVE-2026-22238
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...
PT-2026-2861
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...
CVE-2022-50927
Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricte...
CVE-2022-50927 Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation
Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricte...
CVE-2022-50927 Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation
Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricte...
CVE-2025-13444
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters...
PT-2026-2403
Name of the Vulnerable Software and Affected Versions Cyclades Serial Console Server version 3.3.0 Description The Cyclades Serial Console Server has a local privilege escalation issue. The problem stems from overly permissive sudo privileges granted to the admin user and admin group. An attacker...
CVE-2026-22194
GestSup versions up to and including 3.2.60 contain a cross-site request forgery CSRF vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This...
CVE-2026-22194
GestSup versions up to and including 3.2.60 contain a cross-site request forgery CSRF vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This...
CVE-2026-22194 GestSup <= 3.2.60 CSRF Allows Privileged Actions
GestSup versions up to and including 3.2.60 contain a cross-site request forgery CSRF vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This...
CVE-2025-67281
In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content...