CWE-269

Improper Privilege Management

MITRE

No catalog description on file. The MITRE CWE site has the canonical reference.

CVEs (total)

Critical

High

Medium

Low

Severity distribution

Recent CVEs

showing 46 of 46

CVE-2026-46716Critical· 9.9EPSS 0%8 h ago
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitr
CVE-2026-12018High· 8.8EPSS 0%10 h ago
Inappropriate implementation in Mojo in Google Chrome on Windows prior to 149.0.7827.115 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
CVE-2023-28434High· 8.8KEVEPSS 52%14 h ago
MinIO Security Feature Bypass Vulnerability
go
CVE-2014-3153High· 7.8KEVEXPLOITEPSS 75%14 h ago
Linux Kernel Privilege Escalation Vulnerability
CVE-2020-0787High· 7.8KEVEXPLOITEPSS 59%14 h ago
Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability
CVE-2019-13272High· 7.8KEVEXPLOITEPSS 80%14 h ago
Linux Kernel Improper Privilege Management Vulnerability
CVE-2019-1388High· 7.8KEVEPSS 8%14 h ago
Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
CVE-2026-21533High· 7.8KEVEPSS 19%14 h ago
Microsoft Windows Improper Privilege Management Vulnerability
CVE-2021-34484High· 7.8KEVEPSS 3%14 h ago
Microsoft Windows User Profile Service Privilege Escalation Vulnerability
CVE-2024-38014High· 7.8KEVEPSS 13%14 h ago
Microsoft Windows Installer Improper Privilege Management Vulnerability
CVE-2021-34527High· 8.8KEVEXPLOITEPSS 94%14 h ago
Microsoft Windows Print Spooler Remote Code Execution Vulnerability
CVE-2024-8068High· 8.0KEVEPSS 8%14 h ago
Citrix Session Recording Improper Privilege Management Vulnerability
CVE-2020-3950High· 7.8KEVEXPLOITEPSS 16%14 h ago
VMware Multiple Products Privilege Escalation Vulnerability
CVE-2024-26169High· 7.8KEVEPSS 35%14 h ago
Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability
CVE-2021-42287High· 7.5KEVEPSS 94%14 h ago
Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVE-2024-49035High· 8.7KEVEPSS 6%14 h ago
Microsoft Partner Center Improper Access Control Vulnerability
CVE-2020-8655High· 7.8KEVEXPLOITEPSS 88%14 h ago
EyesOfNetwork Improper Privilege Management Vulnerability
CVE-2021-25337Medium· 4.4KEVEPSS 1%14 h ago
Samsung Mobile Devices Improper Access Control Vulnerability
CVE-2026-50566Critical· 9.9EPSS 0%16 h ago
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileg
CVE-2025-31272High· 7.8EPSS 0%18 h ago
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges.
CVE-2026-45176—EPSS 0%1 d ago
Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism o
CVE-2026-1726Medium· 4.8EPSS 0%1 d ago
IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1 enables privilege escalation, allowing unauthorized users to perform administrative operations after being demoted. Attackers could access sensitive data, modify system
CVE-2026-44119Medium· 5.5EPSS 0%2 d ago
Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are
CVE-2026-50545Critical· 9.9EPSS 0%2 d ago
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough l
CVE-2026-50563Critical· 9.9EPSS 0%2 d ago
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.pods
CVE-2026-50565Medium· 4.9EPSS 0%2 d ago
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builde
CVE-2026-50564Critical· 9.9EPSS 0%2 d ago
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.p
CVE-2026-50570High· 8.5EPSS 0%2 d ago
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and
CVE-2026-11229Medium· 6.1EPSS 0%2 d ago
Inappropriate implementation in Enterprise in Google Chrome prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via physical access to the device. (Chromium security severity: Low)
CVE-2026-46617—EPSS 0%2 d ago
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read
go
CVE-2026-46618—EPSS 0%2 d ago
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables
go
CVE-2025-6254Critical· 9.8EPSS 0%2 d ago
The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can registe
CVE-2020-18171High· 8.8EPSS 0%2 d ago
TechSmith Snagit 19.1.0.2653 uses Object Linking and Embedding (OLE) which can allow attackers to obfuscate and embed crafted files used to escalate privileges. NOTE: This implies that Snagit's use of OLE is a security vulnerability unto it
CVE-2020-18169High· 7.8EPSS 0%2 d ago
A vulnerability in the Windows installer XML (WiX) toolset of TechSmith Snagit 19.1.1.2860 allows attackers to escalate privileges. NOTE: Exploit of the Snagit installer would require the end user to ignore other safety mechanisms provided
CVE-2026-11296High· 7.5EPSS 0%3 d ago
Inappropriate implementation in ImageCapture in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Lo
CVE-2026-11616High· 8.8EPSS 0%3 d ago
The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) — with no allow-list —
CVE-2025-54821Low· 1.9EPSS 0%3 d ago
An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.6.0, FortiPAM
CVE-2026-11308Medium· 6.3EPSS 0%4 d ago
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security
CVE-2026-11295High· 8.8EPSS 0%4 d ago
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-11423—EPSS 0%4 d ago
A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames in the MCAD and Simulation file download flows. A regular authenticated user can submit a collab
CVE-2026-11103High· 7.8EPSS 0%4 d ago
Inappropriate implementation in Installer in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
CVE-2026-11108High· 8.8EPSS 0%4 d ago
Inappropriate implementation in NFC in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-44543High· 8.7EPSS 0%4 d ago
Local Path Provisioner Vulnerable to HelperPod Template Injection
go
CVE-2026-5141High· 8.8EPSS 0%6 d ago
Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process. This issue affect
CVE-2026-11276Medium· 5.1EPSS 0%7 d ago
Inappropriate implementation in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to bypass discretionary access control via malicious network traffic. (Chromium security severity: Low)
CVE-2018-19608Medium· 4.7EPSS 0%7 d ago
Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.

CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.