CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5432 vulnerabilities reference this CWE, most recent first.
GHSA-G3FH-RGMP-4FRG
Vulnerability from github – Published: 2025-09-26 21:30 – Updated: 2025-09-26 21:30In a hardened Docker environment, with Enhanced Container Isolation ( ECI https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/ ) enabled, an administrator can utilize the command restrictions feature https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/config/#command-restrictions to restrict commands that a container with a Docker socket mount may issue on that socket. Due to a software bug, the configuration to restrict commands was ignored when passed to ECI, allowing any command to be executed on the socket. This grants excessive privileges by permitting unrestricted access to powerful Docker commands.
The vulnerability affects only Docker Desktop 4.46.0 users that have ECI enabled and are using the Docker socket command restrictions feature. In addition, since ECI restricts mounting the Docker socket into containers by default, it only affects containers which are explicitly allowed by the administrator to mount the Docker socket.
{
"affected": [],
"aliases": [
"CVE-2025-10657"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-26T21:15:34Z",
"severity": "HIGH"
},
"details": "In a hardened Docker environment, with Enhanced Container Isolation ( ECI https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/ ) enabled, an administrator can utilize the command restrictions feature https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/config/#command-restrictions \u00a0to restrict commands that a container with a Docker socket mount may issue on that socket.\nDue to a software bug, the configuration to restrict commands was ignored when passed to ECI, allowing any command to be executed on the socket. This grants excessive privileges by permitting unrestricted access to powerful Docker commands.\n\nThe vulnerability affects only Docker Desktop 4.46.0 users that have ECI enabled and are using the Docker socket command restrictions feature. In addition, since ECI restricts mounting the Docker socket into containers by default, it only affects containers which are explicitly allowed by the administrator to mount the Docker socket.",
"id": "GHSA-g3fh-rgmp-4frg",
"modified": "2025-09-26T21:30:30Z",
"published": "2025-09-26T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10657"
},
{
"type": "WEB",
"url": "https://docs.docker.com/desktop/release-notes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G3GV-GQ3R-M3M6
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2021-27657"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-04T15:15:00Z",
"severity": "HIGH"
},
"details": "Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.",
"id": "GHSA-g3gv-gq3r-m3m6",
"modified": "2022-05-24T19:04:06Z",
"published": "2022-05-24T19:04:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27657"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01"
},
{
"type": "WEB",
"url": "https://us-cert.gov/ics/advisories"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G3JF-H663-MQRX
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-19 19:00An attacker can pre-create the /Applications/Google\ Drive.app/Contents/MacOS directory which is expected to be owned by root to be owned by a non-root user. When the Drive for Desktop installer is run for the first time, it will place a binary in that directory with execute permissions and set its setuid bit. Since the attacker owns the directory, the attacker can replace the binary with a symlink, causing the installer to set the setuid bit on the symlink. When the symlink is executed, it will run with root permissions. We recommend upgrading past version 64.0
{
"affected": [],
"aliases": [
"CVE-2022-3421"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T20:15:00Z",
"severity": "HIGH"
},
"details": "An attacker can pre-create the `/Applications/Google\\ Drive.app/Contents/MacOS` directory which is expected to be owned by root to be owned by a non-root user. When the Drive for Desktop installer is run for the first time, it will place a binary in that directory with execute permissions and set its setuid bit. Since the attacker owns the directory, the attacker can replace the binary with a symlink, causing the installer to set the setuid bit on the symlink. When the symlink is executed, it will run with root permissions. We recommend upgrading past version 64.0",
"id": "GHSA-g3jf-h663-mqrx",
"modified": "2022-10-19T19:00:18Z",
"published": "2022-10-18T12:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3421"
},
{
"type": "WEB",
"url": "https://support.google.com/a/answer/7577057?hl=en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G3Q9-XF95-8HP5
Vulnerability from github – Published: 2022-10-11 20:48 – Updated: 2025-02-28 21:37Description
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0.0-rc, .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET 7.0.0-rc.1, .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol) where a malicious actor could cause a user to execute arbitrary code.
Affected software
NuGet & NuGet Packages
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.3.0 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.2.1 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.0.2 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.11.2 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.9.2 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.7.2 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 4.9.5 version or earlier.
.NET SDK(s)
- Any .NET 6.0 application running on .NET 6.0.9 or earlier.
- Any .NET 3.1 application running on .NET Core 3.1.29 or earlier.
Patches
To fix the issue, please install the latest version of .NET 6.0 or .NET Core 3.1 and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
-
If you're using NuGet.exe 6.3.0 or lower, you should download and install 6.3.1 from https://dist.nuget.org/win-x86-commandline/v6.3.1/nuget.exe .
-
If you're using NuGet.exe 6.2.1 or lower, you should download and install 6.2.2 from https://dist.nuget.org/win-x86-commandline/v6.2.2/nuget.exe .
-
If you're using NuGet.exe 6.0.2 or lower, you should download and install 6.0.3 from https://dist.nuget.org/win-x86-commandline/v6.0.3/nuget.exe .
-
If you're using NuGet.exe 5.11.2 or lower, you should download and install 5.11.3 from https://dist.nuget.org/win-x86-commandline/v5.11.3/nuget.exe .
-
If you're using NuGet.exe 5.9.2 or lower, you should download and install 5.9.3 from https://dist.nuget.org/win-x86-commandline/v5.9.3/nuget.exe .
-
If you're using NuGet.exe 5.7.2 or lower, you should download and install 5.7.3 from https://dist.nuget.org/win-x86-commandline/v5.7.3/nuget.exe .
-
If you're using NuGet.exe 4.9.5 or lower, you should download and install 4.9.6 from https://dist.nuget.org/win-x86-commandline/v4.9.6/nuget.exe .
-
If you're using .NET Core 6.0, you should download and install Runtime 6.0.10 or SDK 6.0.110 (for Visual Studio 2022 v17.0) or SDK 6.0.402 (for Visual Studio 2022 v17.3) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
-
If you're using .NET Core 3.1, you should download and install Runtime 3.1.30 or SDK 3.1.424 (for Visual Studio 2019 v16.9 or Visual Studio 2019 v16.11 or Visual Studio 2022 v17.0 or Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
.NET 6.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Other details
Announcement for this issue can be found at https://github.com/NuGet/Announcements/issues/65
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41032
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "4.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "5.8.0"
},
{
"fixed": "5.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "5.10.0"
},
{
"fixed": "5.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Commands"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "4.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "5.8.0"
},
{
"fixed": "5.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "5.10.0"
},
{
"fixed": "5.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.CommandLine"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "4.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "5.8.0"
},
{
"fixed": "5.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "5.10.0"
},
{
"fixed": "5.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "NuGet.Protocol"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41032"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-11T20:48:52Z",
"nvd_published_at": "2022-10-11T19:15:00Z",
"severity": "HIGH"
},
"details": "## Description\n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0.0-rc, .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA vulnerability exists in .NET 7.0.0-rc.1, .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol) where a malicious actor could cause a user to execute arbitrary code.\n\n## Affected software\n\n### NuGet \u0026 NuGet Packages\n\n- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.3.0 version or earlier.\n- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.2.1 version or earlier.\n- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.0.2 version or earlier.\n- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.11.2 version or earlier.\n- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.9.2 version or earlier.\n- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.7.2 version or earlier.\n- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 4.9.5 version or earlier.\n\n### .NET SDK(s)\n\n- Any .NET 6.0 application running on .NET 6.0.9 or earlier.\n- Any .NET 3.1 application running on .NET Core 3.1.29 or earlier.\n\n## Patches\n\nTo fix the issue, please install the latest version of .NET 6.0 or .NET Core 3.1 and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.\n\n- If you\u0027re using NuGet.exe 6.3.0 or lower, you should download and install 6.3.1 from https://dist.nuget.org/win-x86-commandline/v6.3.1/nuget.exe .\n\n- If you\u0027re using NuGet.exe 6.2.1 or lower, you should download and install 6.2.2 from https://dist.nuget.org/win-x86-commandline/v6.2.2/nuget.exe .\n\n- If you\u0027re using NuGet.exe 6.0.2 or lower, you should download and install 6.0.3 from https://dist.nuget.org/win-x86-commandline/v6.0.3/nuget.exe .\n\n- If you\u0027re using NuGet.exe 5.11.2 or lower, you should download and install 5.11.3 from https://dist.nuget.org/win-x86-commandline/v5.11.3/nuget.exe .\n\n- If you\u0027re using NuGet.exe 5.9.2 or lower, you should download and install 5.9.3 from https://dist.nuget.org/win-x86-commandline/v5.9.3/nuget.exe .\n\n- If you\u0027re using NuGet.exe 5.7.2 or lower, you should download and install 5.7.3 from https://dist.nuget.org/win-x86-commandline/v5.7.3/nuget.exe .\n\n- If you\u0027re using NuGet.exe 4.9.5 or lower, you should download and install 4.9.6 from https://dist.nuget.org/win-x86-commandline/v4.9.6/nuget.exe .\n\n- If you\u0027re using .NET Core 6.0, you should download and install Runtime 6.0.10 or SDK 6.0.110 (for Visual Studio 2022 v17.0) or SDK 6.0.402 (for Visual Studio 2022 v17.3) from https://dotnet.microsoft.com/download/dotnet-core/6.0.\n\n- If you\u0027re using .NET Core 3.1, you should download and install Runtime 3.1.30 or SDK 3.1.424 (for Visual Studio 2019 v16.9 or Visual Studio 2019 v16.11 or Visual Studio 2022 v17.0 or Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/3.1.\n\n.NET 6.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type \"Check for updates\" in your Windows search, or open Settings, choose Update \u0026 Security and then click Check for Updates.\n\n## Other details\n\nAnnouncement for this issue can be found at https://github.com/NuGet/Announcements/issues/65\n\nMSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41032",
"id": "GHSA-g3q9-xf95-8hp5",
"modified": "2025-02-28T21:37:16Z",
"published": "2022-10-11T20:48:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NuGet/NuGet.Client/security/advisories/GHSA-g3q9-xf95-8hp5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41032"
},
{
"type": "WEB",
"url": "https://github.com/NuGet/Announcements/issues/65"
},
{
"type": "WEB",
"url": "https://github.com/NuGet/NuGet.Client/commit/6392863cf83f4870e18f1d02f2463cca633e59ed"
},
{
"type": "PACKAGE",
"url": "https://github.com/NuGet/NuGet.Client"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOG35Z5RL5W5RGLLYLN46CI4D2UPDSWM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDPT2MJC3HD7HYZGASOOX6MTDR4ASBL5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X7BMHO5ITRBZREVTEKHQRGSFRPDMALV3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOG35Z5RL5W5RGLLYLN46CI4D2UPDSWM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDPT2MJC3HD7HYZGASOOX6MTDR4ASBL5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7BMHO5ITRBZREVTEKHQRGSFRPDMALV3"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41032"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41032"
},
{
"type": "WEB",
"url": "https://www.edwardthomson.com/blog/my-first-cve.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "NuGet Elevation of Privilege Vulnerability"
}
GHSA-G3QJ-JQCF-JG78
Vulnerability from github – Published: 2026-05-15 09:31 – Updated: 2026-05-15 09:31The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses 'capability_type' => 'page', which grants editors the ability to create and edit forms. When an editor creates an edit_user form, they can manipulate the form configuration to include 'administrator' in the role_options array by directly submitting POST data to wp-admin/post.php, bypassing the UI restrictions in feadmin_get_user_roles(). When the form is subsequently submitted, the pre_update_value() function in class-role.php only validates that the submitted role exists in the form's role_options array (lines 107-110), but fails to verify that the current user has permission to assign that specific role. This makes it possible for unauthenticated attackers to first register as editors (via a public new_user form), then create an edit_user form with administrator in the allowed roles, and finally use that form to escalate their own privileges to administrator.
{
"affected": [],
"aliases": [
"CVE-2026-6228"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-15T09:16:16Z",
"severity": "HIGH"
},
"details": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses \u0027capability_type\u0027 =\u003e \u0027page\u0027, which grants editors the ability to create and edit forms. When an editor creates an edit_user form, they can manipulate the form configuration to include \u0027administrator\u0027 in the role_options array by directly submitting POST data to wp-admin/post.php, bypassing the UI restrictions in feadmin_get_user_roles(). When the form is subsequently submitted, the pre_update_value() function in class-role.php only validates that the submitted role exists in the form\u0027s role_options array (lines 107-110), but fails to verify that the current user has permission to assign that specific role. This makes it possible for unauthenticated attackers to first register as editors (via a public new_user form), then create an edit_user form with administrator in the allowed roles, and finally use that form to escalate their own privileges to administrator.",
"id": "GHSA-g3qj-jqcf-jg78",
"modified": "2026-05-15T09:31:32Z",
"published": "2026-05-15T09:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6228"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/admin/admin-pages/forms/post-types.php#L53"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php#L113"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/actions/user.php#L517"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3519460"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/083accd0-8338-47c6-b396-96679b95dd40?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G3RC-3G7J-G4VG
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10In SurfaceFlinger, it is possible to override UI confirmation screen protected by the TEE. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-143128911
{
"affected": [],
"aliases": [
"CVE-2020-0063"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "In SurfaceFlinger, it is possible to override UI confirmation screen protected by the TEE. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-143128911",
"id": "GHSA-g3rc-3g7j-g4vg",
"modified": "2022-05-24T17:10:42Z",
"published": "2022-05-24T17:10:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0063"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2020-03-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G3RH-644P-2XQV
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2024-01-04 03:30An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Backup Engine Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1535, CVE-2020-1536, CVE-2020-1539, CVE-2020-1540, CVE-2020-1542, CVE-2020-1543, CVE-2020-1544, CVE-2020-1545, CVE-2020-1546, CVE-2020-1547, CVE-2020-1551.
{
"affected": [],
"aliases": [
"CVE-2020-1541"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-17T19:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists when the Windows Backup Engine improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka \u0027Windows Backup Engine Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1535, CVE-2020-1536, CVE-2020-1539, CVE-2020-1540, CVE-2020-1542, CVE-2020-1543, CVE-2020-1544, CVE-2020-1545, CVE-2020-1546, CVE-2020-1547, CVE-2020-1551.",
"id": "GHSA-g3rh-644p-2xqv",
"modified": "2024-01-04T03:30:35Z",
"published": "2022-05-24T17:25:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1541"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1541"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G3RR-CH2X-42V4
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-13 00:00In onCreateOptionsMenu of WifiNetworkDetailsFragment.java, there is a possible way for guest users to view and modify Wi-Fi settings for all configured APs due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-177573895
{
"affected": [],
"aliases": [
"CVE-2021-0602"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-14T14:15:00Z",
"severity": "HIGH"
},
"details": "In onCreateOptionsMenu of WifiNetworkDetailsFragment.java, there is a possible way for guest users to view and modify Wi-Fi settings for all configured APs due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-177573895",
"id": "GHSA-g3rr-ch2x-42v4",
"modified": "2022-07-13T00:00:59Z",
"published": "2022-05-24T19:07:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0602"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G464-39XH-J4RF
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-10-26 12:00A logic issue was addressed with improved restrictions. This issue is fixed in iOS 14.5 and iPadOS 14.5, tvOS 14.5. A local user may be able to create or modify privileged files.
{
"affected": [],
"aliases": [
"CVE-2021-1836"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T15:15:00Z",
"severity": "MODERATE"
},
"details": "A logic issue was addressed with improved restrictions. This issue is fixed in iOS 14.5 and iPadOS 14.5, tvOS 14.5. A local user may be able to create or modify privileged files.",
"id": "GHSA-g464-39xh-j4rf",
"modified": "2022-10-26T12:00:38Z",
"published": "2022-05-24T19:13:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1836"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212317"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212323"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G467-J8JP-RQ97
Vulnerability from github – Published: 2023-08-24 03:30 – Updated: 2025-11-04 18:30A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
{
"affected": [],
"aliases": [
"CVE-2023-32559"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-24T02:15:09Z",
"severity": "HIGH"
},
"details": "A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding(\u0027spawn_sync\u0027)` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.",
"id": "GHSA-g467-j8jp-rq97",
"modified": "2025-11-04T18:30:43Z",
"published": "2023-08-24T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32559"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1946470"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231006-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.