CWE-269
Improper Privilege Management
ClassDraftLikelihood: Medium
Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-122 · CAPEC-233 · CAPEC-58
CVEs mapped to this weakness (567)
page 19 of 29| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23896 | Hig | 0.47 | 7.2 | 0.00 | Jan 29, 2026 | immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue. | |
| CVE-2025-67246 | Hig | 0.47 | 7.3 | 0.00 | Jan 15, 2026 | A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. The handler maps arbitrary physical memory via MmMapIoSpace and copies data back to user mode without verifying the caller's privileges or the target address range. This allows unprivileged users to read arbitrary physical memory, potentially exposing kernel data structures, kernel pointers, security tokens, and other sensitive information. This vulnerability can be further exploited to bypass the Kernel Address Space Layout Rules (KASLR) and achieve local privilege escalation. | |
| CVE-2025-6042 | Hig | 0.47 | 7.3 | 0.00 | Oct 15, 2025 | The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.0. This is due to the plugin assigning the editor role by default. While limitations with respect to capabilities are put in place, use of the API is not restricted. This vulnerability can be leveraged together with CVE-2025-6038 to obtain admin privileges. | |
| CVE-2025-9966 | Hig | 0.47 | — | 0.00 | Sep 23, 2025 | Improper privilege management vulnerability in Novakon P series allows attackers to gain root privileges if one service is compromized.This issue affects P series: P – V2001.A.C518o2 until P-2.0.05 Build 2026.02.06 (commit d0f97fd9). | |
| CVE-2025-52915 | Hig | 0.47 | 7.2 | 0.00 | Sep 9, 2025 | K7RKScan.sys 23.0.0.10, part of the K7 Security Anti-Malware suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. | |
| CVE-2025-36729 | Hig | 0.47 | 7.2 | 0.00 | Aug 26, 2025 | A non-primary administrator user with admin rights to the web interface but without shell access permissions can display configuration of the device including the master admin password. This vulnerability also allows the user to give themselves shell access with the root gid. | |
| CVE-2025-50124 | Hig | 0.47 | — | 0.00 | Jul 11, 2025 | A CWE-269: Improper Privilege Management vulnerability exists that could cause privilege escalation when the server is accessed by a privileged account via a console and through exploitation of a setup script. | |
| CVE-2024-13835 | Hig | 0.47 | 7.2 | 0.00 | Mar 8, 2025 | The Post Meta Data Manager plugin for WordPress is vulnerable to multisite privilege escalation in all versions up to, and including, 1.4.4. This is due to the plugin not properly verifying the existence of a multisite installation prior to allowing user meta to be added/modified. This makes it possible for authenticated attackers, with Administrator-level access and above, to gain elevated privileges on subsites that would otherwise be inaccessible. | |
| CVE-2024-21966 | Hig | 0.47 | 7.3 | 0.00 | Feb 11, 2025 | A DLL hijacking vulnerability in the AMD Ryzen™ Master Utility could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | |
| CVE-2024-7291 | Hig | 0.47 | 7.2 | 0.00 | Aug 3, 2024 | The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites. | |
| CVE-2024-38775 | Hig | 0.47 | 7.2 | 0.00 | Aug 1, 2024 | Improper Privilege Management vulnerability in WebAppick CTX Feed allows Privilege Escalation.This issue affects CTX Feed: from n/a through 6.5.6. | |
| CVE-2024-2003 | Hig | 0.47 | 7.3 | 0.00 | Jun 21, 2024 | Local privilege escalation vulnerability allowed an attacker to misuse ESET's file operations during a restore operation from quarantine. | |
| CVE-2024-33569 | Hig | 0.47 | 7.2 | 0.00 | May 17, 2024 | Improper Privilege Management vulnerability in Darren Cooney Instant Images allows Privilege Escalation.This issue affects Instant Images: from n/a through 6.1.0. | |
| CVE-2023-47682 | Hig | 0.47 | 7.2 | 0.00 | May 17, 2024 | Improper Privilege Management vulnerability in weDevs WP User Frontend allows Privilege Escalation.This issue affects WP User Frontend: from n/a through 3.6.5. | |
| CVE-2023-37866 | Hig | 0.47 | 7.2 | 0.00 | May 17, 2024 | Improper Privilege Management vulnerability in Crocoblock JetFormBuilder allows Privilege Escalation.This issue affects JetFormBuilder: from n/a through 3.0.8. | |
| CVE-2024-22264 | Hig | 0.47 | 7.2 | 0.00 | May 8, 2024 | VMware Avi Load Balancer contains a privilege escalation vulnerability. A malicious actor with admin privileges on VMware Avi Load Balancer can create, modify, execute and delete files as a root user on the host system. | |
| CVE-2017-14484 | Hig | 0.47 | 7.3 | 0.00 | Sep 15, 2017 | The Gentoo sci-mathematics/gimps package before 28.10-r1 for Great Internet Mersenne Prime Search (GIMPS) allows local users to gain privileges by creating a hard link under /var/lib/gimps, because an unsafe "chown -R" command is executed. | |
| CVE-2012-0384 | Hig | 0.47 | 7.2 | 0.00 | Mar 29, 2012 | Cisco IOS 12.2 through 12.4 and 15.0 through 15.2 and IOS XE 2.1.x through 2.6.x and 3.1.xS before 3.1.2S, 3.2.xS through 3.4.xS before 3.4.2S, 3.5.xS before 3.5.1S, and 3.1.xSG and 3.2.xSG before 3.2.2SG, when AAA authorization is enabled, allow remote authenticated users to bypass intended access restrictions and execute commands via a (1) HTTP or (2) HTTPS session, aka Bug ID CSCtr91106. | |
| CVE-2026-45675 | Hig | 0.46 | 8.1 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix. This vulnerability is fixed in 0.9.0. | |
| CVE-2026-42609 | Hig | 0.46 | 8.1 | 0.00 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2. |