CWE-269: Improper Privilege Management — known CVE vulnerabilities
CVEs classified under CWE-269 (Improper Privilege Management), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-31852 — CVSS 10.0 (critical): Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary…
CVE-2025-20282 — CVSS 10.0 (critical): A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files…
CVE-2025-0505 — CVSS 10.0 (critical): On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on…
CVE-2023-48418 — CVSS 10.0 (critical): In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW completion due to an insecure…
CVE-2023-48419 — CVSS 10.0 (critical): An attacker in the wifi vicinity of a target Google Home can spy on the victim, resulting in Elevation of Privilege
CVE-2023-31273 — CVSS 10.0 (critical): Protection mechanism failure in some Intel DCM software before version 5.2 may allow an unauthenticated user to potentially enable…
CVE-2022-1517 — CVSS 10.0 (critical): LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level…
CVE-2021-39168 — CVSS 10.0 (critical): OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with…
CVE-2021-39167 — CVSS 10.0 (critical): OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with…
CVE-2021-1388 — CVSS 10.0 (critical): A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an…
CVE-2020-36155 — CVSS 10.0 (critical): An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta…
CVE-2018-4310 — CVSS 10.0 (critical): An access issue was addressed with additional sandbox restrictions. This issue affected versions prior to iOS 12, macOS Mojave 10.14.
CVE-2026-58053 — CVSS 9.9 (critical): Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's…
CVE-2026-46964 — CVSS 9.9 (critical): Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration)…
CVE-2026-46933 — CVSS 9.9 (critical): Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Internal Operations). Supported versions…
CVE-2026-46901 — CVSS 9.9 (critical): Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions…
CVE-2026-46900 — CVSS 9.9 (critical): Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions…
CVE-2026-46895 — CVSS 9.9 (critical): Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions…
CVE-2026-46893 — CVSS 9.9 (critical): Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version…
CVE-2026-46852 — CVSS 9.9 (critical): Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported…
CVE-2026-46794 — CVSS 9.9 (critical): Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: Generic Unix Connector). Supported versions…
CVE-2026-50564 — CVSS 9.9 (critical): Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on…
CVE-2026-50563 — CVSS 9.9 (critical): Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on…
CVE-2026-50545 — CVSS 9.9 (critical): Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on…
CVE-2026-47744 — CVSS 9.9 (critical): Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any…
CVE-2026-46824 — CVSS 9.9 (critical): Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration)…
CVE-2026-30269 — CVSS 9.9 (critical): Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin…
CVE-2026-22039 — CVSS 9.9 (critical): Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical…
CVE-2025-67781 — CVSS 9.9 (critical): An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can…
CVE-2025-55187 — CVSS 9.9 (critical): In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges.
CVE-2024-45496 — CVSS 9.9 (critical): A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build…
CVE-2024-33226 — CVSS 9.9 (critical): An issue in the component Access64.sys of Wistron Corporation TBT Force Power Control v1.0.0.0 allows attackers to escalate privileges and…
CVE-2024-24830 — CVSS 9.9 (critical): OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A…
CVE-2023-34465 — CVSS 9.9 (critical): XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig`…
CVE-2023-22651 — CVSS 9.9 (critical): Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's…
CVE-2023-26475 — CVSS 9.9 (critical): XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a…
CVE-2022-2104 — CVSS 9.9 (critical): The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash).
CVE-2021-36302 — CVSS 9.9 (critical): All Dell EMC Integrated System for Microsoft Azure Stack Hub versions contain a privilege escalation vulnerability. A remote malicious user…
CVE-2021-34810 — CVSS 9.9 (critical): Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated…
CVE-2020-36156 — CVSS 9.9 (critical): An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile…
CVE-2020-27133 — CVSS 9.9 (critical): Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute…
CVE-2020-27132 — CVSS 9.9 (critical): Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute…
CVE-2020-27127 — CVSS 9.9 (critical): Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute…
CVE-2019-10940 — CVSS 9.9 (critical): A vulnerability has been identified in SINEMA Server (All versions < V14.0 SP2 Update 1). Incorrect session validation could allow an…
CVE-2026-12415 — CVSS 9.8 (critical): The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the…
CVE-2025-6254 — CVSS 9.8 (critical): The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to…
CVE-2026-8206 — CVSS 9.8 (critical): The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account…
CVE-2026-8809 — CVSS 9.8 (critical): The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to…
CVE-2026-46817 — CVSS 9.8 (critical): Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are…
CVE-2026-5118 — CVSS 9.8 (critical): The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to…