VYPR

CWE-268

Privilege Chaining

BaseDraftLikelihood: High

Description

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (11)

  • CVE-2025-32445CriApr 15, 2025
    risk 0.57cvss 9.9epss 0.01

    Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The…

  • CVE-2025-7973HigAug 14, 2025
    risk 0.55cvss epss 0.00

    A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command…

  • CVE-2025-2903HigApr 17, 2025
    risk 0.55cvss epss 0.00

    An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login feature, can login via SSH gaining command-line control of the operating system. This allows an attacker to gain access to sensitive data stored on the VM,…

  • CVE-2026-32325HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege.

  • CVE-2025-64701HigDec 11, 2025
    risk 0.51cvss 7.8epss 0.00

    QND Premium/Advance/Standard Ver.11.0.9i and prior contains a privilege escalation vulnerability, which may allow a user who can log in to a Windows system with the affected product to gain administrator privileges. As a result, sensitive information may be accessed or altered,…

  • CVE-2024-47045HigSep 26, 2024
    risk 0.51cvss 7.8epss 0.00

    Privilege chaining issue exists in the installer of e-Tax software(common program). If this vulnerability is exploited, a malicious DLL prepared by an attacker may be executed with higher privileges than the application privilege.

  • CVE-2026-3888HigMar 17, 2026
    risk 0.44cvss 7.8epss 0.00

    Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04…

  • CVE-2025-20112MedMay 21, 2025
    risk 0.33cvss 5.1epss 0.00

    A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to excessive permissions that have been assigned to…

  • CVE-2025-32955MedApr 21, 2025
    risk 0.32cvss 6.0epss 0.00

    Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using…

  • CVE-2023-0759Feb 9, 2023
    risk 0.00cvss epss 0.00

    Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.

  • CVE-2021-3932Nov 13, 2021
    risk 0.00cvss epss 0.00

    twill is vulnerable to Cross-Site Request Forgery (CSRF)