CWE-250
Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CVE-2026-23742 (GCVE-0-2026-23742)
Vulnerability from cvelistv5 – Published: 2026-01-16 20:07 – Updated: 2026-01-16 20:24
VLAI
Title
Skipper arbitrary code execution through lua filters
Summary
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
Severity
8.8 (High)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/zalando/skipper/security/advis… | x_refsource_CONFIRM |
| https://github.com/zalando/skipper/commit/0b52894… | x_refsource_MISC |
| https://github.com/zalando/skipper/releases/tag/v0.23.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T20:22:53.499072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T20:24:12.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "skipper",
"vendor": "zalando",
"versions": [
{
"status": "affected",
"version": "\u003c 0.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T20:07:46.746Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g"
},
{
"name": "https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714"
},
{
"name": "https://github.com/zalando/skipper/releases/tag/v0.23.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zalando/skipper/releases/tag/v0.23.0"
}
],
"source": {
"advisory": "GHSA-cc8m-98fm-rc9g",
"discovery": "UNKNOWN"
},
"title": "Skipper arbitrary code execution through lua filters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23742",
"datePublished": "2026-01-16T20:07:46.746Z",
"dateReserved": "2026-01-15T15:45:01.958Z",
"dateUpdated": "2026-01-16T20:24:12.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25643 (GCVE-0-2026-25643)
Vulnerability from cvelistv5 – Published: 2026-02-06 19:16 – Updated: 2026-02-06 20:24
VLAI
Title
Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape
Summary
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
Severity
9.1 (Critical)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/blakeblackshear/frigate/securi… | x_refsource_CONFIRM |
| https://github.com/blakeblackshear/frigate/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| blakeblackshear | frigate |
Affected:
< 0.16.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25643",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:24:30.544006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:24:33.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frigate",
"vendor": "blakeblackshear",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T19:16:26.005Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x"
},
{
"name": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4"
}
],
"source": {
"advisory": "GHSA-4c97-5jmr-8f6x",
"discovery": "UNKNOWN"
},
"title": "Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25643",
"datePublished": "2026-02-06T19:16:26.005Z",
"dateReserved": "2026-02-04T05:15:41.791Z",
"dateUpdated": "2026-02-06T20:24:33.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25710 (GCVE-0-2026-25710)
Vulnerability from cvelistv5 – Published: 2026-05-13 08:44 – Updated: 2026-05-13 10:48
VLAI
Summary
The new upstream added a privileged D-Bus
helper called plasmaloginauthhelper, which suffers from multiple issues, e.g.aA compromised plasmalogin service account can chown() arbitrary files in the system.
Severity
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| KDE | plasma-login-manager |
Affected:
0 , < ?
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-13T09:04:49.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/27/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:42:19.802396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:48:34.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "plasma-login-manager",
"product": "plasma-login-manager",
"vendor": "KDE",
"versions": [
{
"lessThan": "?",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthias Gerstner of SUSE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The new upstream added a \u003ca href=\"https://invent.kde.org/plasma/plasma-login-manager/-/blob/v6.6.2/src/frontend/kcm/auth/plasmaloginauthhelper.cpp?ref_type=tags\"\u003eprivileged D-Bus\nhelper\u003c/a\u003e called \u003ccode\u003eplasmaloginauthhelper\u003c/code\u003e, which suffers from multiple issues, e.g.aA compromised \u003ccode\u003eplasmalogin\u003c/code\u003e service account can \u003ccode\u003echown()\u003c/code\u003e\u0026nbsp;arbitrary files in the system."
}
],
"value": "The new upstream added a privileged D-Bus\nhelper called plasmaloginauthhelper, which suffers from multiple issues, e.g.aA compromised plasmalogin service account can chown()\u00a0arbitrary files in the system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T08:44:00.951Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"url": "https://security.opensuse.org/2026/04/27/plasma-login-manager.html#6-upstream-bugfix"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25710"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2026-25710",
"datePublished": "2026-05-13T08:44:00.951Z",
"dateReserved": "2026-02-05T15:37:24.184Z",
"dateUpdated": "2026-05-13T10:48:34.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25740 (GCVE-0-2026-25740)
Vulnerability from cvelistv5 – Published: 2026-02-09 20:17 – Updated: 2026-02-10 15:59
VLAI
Title
Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module
Summary
captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05.
Severity
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/NixOS/nixpkgs/security/advisor… | x_refsource_CONFIRM |
| https://github.com/NixOS/nixpkgs/pull/487775 | x_refsource_MISC |
| https://github.com/NixOS/nixpkgs/pull/487779 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:30:17.008038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T15:59:39.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nixpkgs",
"vendor": "NixOS",
"versions": [
{
"status": "affected",
"version": "\u003c= 25.05"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulnerability is fixed in 25.11 and 26.05."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T20:17:16.777Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc"
},
{
"name": "https://github.com/NixOS/nixpkgs/pull/487775",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nixpkgs/pull/487775"
},
{
"name": "https://github.com/NixOS/nixpkgs/pull/487779",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NixOS/nixpkgs/pull/487779"
}
],
"source": {
"advisory": "GHSA-wc3r-c66x-8xmc",
"discovery": "UNKNOWN"
},
"title": "Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25740",
"datePublished": "2026-02-09T20:17:16.777Z",
"dateReserved": "2026-02-05T16:48:00.428Z",
"dateUpdated": "2026-02-10T15:59:39.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25908 (GCVE-0-2026-25908)
Vulnerability from cvelistv5 – Published: 2026-04-27 18:10 – Updated: 2026-04-28 12:44
VLAI
Summary
Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary Privileges vulnerability in the AWCC. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
Severity
6.7 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00045101… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Alienware Command Center (AWCC) |
Affected:
0 , < 6.13.8.0
(semver)
|
Date Public
2026-04-27 17:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25908",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T03:55:32.155815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T12:44:15.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Alienware Command Center (AWCC)",
"vendor": "Dell",
"versions": [
{
"lessThan": "6.13.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dell would like to thank Ouallaout Noureddine for reporting this issue."
}
],
"datePublic": "2026-04-27T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary Privileges vulnerability in the AWCC. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges."
}
],
"value": "Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary Privileges vulnerability in the AWCC. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T18:10:27.719Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2026-25908",
"datePublished": "2026-04-27T18:10:27.719Z",
"dateReserved": "2026-02-08T18:05:27.450Z",
"dateUpdated": "2026-04-28T12:44:15.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27002 (GCVE-0-2026-27002)
Vulnerability from cvelistv5 – Published: 2026-02-19 23:12 – Updated: 2026-02-20 15:38
VLAI
Title
OpenClaw: Docker container escape via unvalidated bind mount config injection
Summary
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles.
Severity
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | x_refsource_CONFIRM |
| https://github.com/openclaw/openclaw/commit/887b2… | x_refsource_MISC |
| https://github.com/openclaw/openclaw/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:29:30.534091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:38:01.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openclaw",
"vendor": "openclaw",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.2.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T23:12:17.481Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w235-x559-36mg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w235-x559-36mg"
},
{
"name": "https://github.com/openclaw/openclaw/commit/887b209db47f1f9322fead241a1c0b043fd38339",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/commit/887b209db47f1f9322fead241a1c0b043fd38339"
},
{
"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
}
],
"source": {
"advisory": "GHSA-w235-x559-36mg",
"discovery": "UNKNOWN"
},
"title": "OpenClaw: Docker container escape via unvalidated bind mount config injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27002",
"datePublished": "2026-02-19T23:12:17.481Z",
"dateReserved": "2026-02-17T03:08:23.488Z",
"dateUpdated": "2026-02-20T15:38:01.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27208 (GCVE-0-2026-27208)
Vulnerability from cvelistv5 – Published: 2026-02-24 13:52 – Updated: 2026-02-27 20:50
VLAI
Title
api-gateway-deploy Affected by Exploitable Command Injection via Unprivileged Root Execution
Summary
bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation. This allows an attacker to execute arbitrary commands with root privileges within the container, potentially leading to a container escape and unauthorized infrastructure modifications. This is fixed in version 1.0.1 by implementing strict input sanitization and secure delimiters in entrypoint.sh, enforcing a non-root user (appuser) in the Dockerfile, and establishing mandatory security quality gates.
Severity
9.2 (Critical)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bleon-ethical/api-gateway-depl… | x_refsource_CONFIRM |
| https://github.com/bleon-ethical/api-gateway-depl… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bleon-ethical | api-gateway-deploy |
Affected:
= 1.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T20:50:08.820202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:50:16.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "api-gateway-deploy",
"vendor": "bleon-ethical",
"versions": [
{
"status": "affected",
"version": "= 1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation. This allows an attacker to execute arbitrary commands with root privileges within the container, potentially leading to a container escape and unauthorized infrastructure modifications. This is fixed in version 1.0.1 by implementing strict input sanitization and secure delimiters in entrypoint.sh, enforcing a non-root user (appuser) in the Dockerfile, and establishing mandatory security quality gates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T13:52:43.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bleon-ethical/api-gateway-deploy/security/advisories/GHSA-chh5-w73q-4gmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bleon-ethical/api-gateway-deploy/security/advisories/GHSA-chh5-w73q-4gmm"
},
{
"name": "https://github.com/bleon-ethical/api-gateway-deploy/releases/tag/Security",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bleon-ethical/api-gateway-deploy/releases/tag/Security"
}
],
"source": {
"advisory": "GHSA-chh5-w73q-4gmm",
"discovery": "UNKNOWN"
},
"title": "api-gateway-deploy Affected by Exploitable Command Injection via Unprivileged Root Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27208",
"datePublished": "2026-02-24T13:52:43.155Z",
"dateReserved": "2026-02-18T19:47:02.156Z",
"dateUpdated": "2026-02-27T20:50:16.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29205 (GCVE-0-2026-29205)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:13
VLAI
Summary
Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
Severity
8.6 (High)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.120.0.0 , < 11.124.0.38 (semver) |
|
| WebPros | WP Squared |
Affected:
11.120.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:13:34.728020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:13:52.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.120.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.120.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.220Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29205",
"datePublished": "2026-05-13T22:06:04.220Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-14T13:13:52.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30225 (GCVE-0-2026-30225)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:03 – Updated: 2026-03-09 20:54
VLAI
Title
OliveTin: RestartAction always runs actions as guest
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1.
Severity
5.3 (Medium)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/OliveTin/OliveTin/security/adv… | x_refsource_CONFIRM |
| https://github.com/OliveTin/OliveTin/commit/cb46a… | x_refsource_MISC |
| https://github.com/OliveTin/OliveTin/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30225",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:49:02.628432Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low\u2011privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller\u2019s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low\u2011privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-441",
"description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:03:55.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-p443-p7w5-2f7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-p443-p7w5-2f7f"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/cb46a597b2465235839ed58cf034b5e7b70ef911",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/cb46a597b2465235839ed58cf034b5e7b70ef911"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-p443-p7w5-2f7f",
"discovery": "UNKNOWN"
},
"title": "OliveTin: RestartAction always runs actions as guest"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30225",
"datePublished": "2026-03-06T21:03:55.994Z",
"dateReserved": "2026-03-04T17:23:59.797Z",
"dateUpdated": "2026-03-09T20:54:29.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32643 (GCVE-0-2026-32643)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-14 03:56
VLAI
Title
BIG-IP and BIG-IQ privilege escalation vulnerability
Summary
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000160972 | vendor-advisorypatch |
Impacted products
Date Public
2026-05-13 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32643",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T03:56:15.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.2",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.6",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.2",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BIG-IQ",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003cbr\u003e"
}
],
"value": "A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Appliance Mode"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:40.580Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000160972"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BIG-IP and BIG-IQ privilege escalation vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-32643",
"datePublished": "2026-05-13T14:12:40.580Z",
"dateReserved": "2026-04-30T23:04:20.024Z",
"dateUpdated": "2026-05-14T03:56:15.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation ID: MIT-18
Phase: Architecture and Design
Strategy: Separation of Privilege
Description:
- Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation ID: MIT-18
Phase: Architecture and Design
Strategy: Attack Surface Reduction
Description:
- Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation
Phase: Implementation
Description:
- Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.
Mitigation ID: MIT-19
Phase: Implementation
Description:
- When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.
Mitigation
Phase: Implementation
Description:
- If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.
Mitigation ID: MIT-37
Phases: Operation, System Configuration
Strategy: Environment Hardening
Description:
- Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-470: Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.