Total
1433 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-69604 | 2026-02-03 | N/A | 7.8 HIGH | ||
| An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls. | |||||
| CVE-2025-20984 | 1 Samsung | 11 Galaxy Watch, Galaxy Watch 4, Galaxy Watch 4 Classic and 8 more | 2026-02-02 | N/A | 6.8 MEDIUM |
| Incorrect default permission in Samsung Cloud for Galaxy Watch prior to SMR Jun-2025 Release 1 allows local attackers to access data in Samsung Cloud for Galaxy Watch. | |||||
| CVE-2025-20910 | 1 Samsung | 11 Galaxy Watch, Galaxy Watch 4, Galaxy Watch 4 Classic and 8 more | 2026-02-02 | N/A | 6.2 MEDIUM |
| Incorrect default permission in Galaxy Watch Gallery prior to SMR Mar-2025 Release 1 allows local attackers to access data in Galaxy Watch Gallery. | |||||
| CVE-2025-8485 | 1 Lenovo | 1 App Store | 2026-02-02 | N/A | 7.3 HIGH |
| An improper permissions vulnerability was reported in Lenovo App Store that could allow a local authenticated user to execute code with elevated privileges during installation of an application. | |||||
| CVE-2025-2502 | 1 Lenovo | 1 Pcmanager | 2026-02-02 | N/A | 7.8 HIGH |
| An improper default permissions vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges. | |||||
| CVE-2024-55930 | 1 Xerox | 1 Workplace Suite | 2026-01-30 | N/A | 6.7 MEDIUM |
| Xerox Workplace Suite has weak default folder permissions that allow unauthorized users to access, modify, or delete files | |||||
| CVE-2024-27674 | 1 Macro-expert | 1 Macro Expert | 2026-01-30 | N/A | 7.8 HIGH |
| Macro Expert through 4.9.4 allows BUILTIN\Users:(OI)(CI)(M) access to the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary. | |||||
| CVE-2025-27926 | 1 Nintex | 1 Automation | 2026-01-29 | N/A | 4.3 MEDIUM |
| In Nintex Automation 5.6 and 5.7 before 5.8, the K2 SmartForms Designer folder has configuration files (web.config) containing passwords that are readable by unauthorized users. | |||||
| CVE-2026-24414 | 2026-01-29 | N/A | N/A | ||
| The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows `certificate` directory grant every user read access, which results in the exposure of private key of the Icinga certificate for the given host. All installations are affected. Versions 1.13.4, 1.12.4, and 1.11.2 contains a patch. Please note that upgrading to a fixed version of Icinga for Windows will also automatically fix a similar issue present in Icinga 2, CVE-2026-24413. As a workaround, the permissions can be restricted manually by updating the ACL for the given folder `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` (and `C:\ProgramData\icinga2\var` to fix the issue for the Icinga 2 agent as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | |||||
| CVE-2026-24780 | 2026-01-29 | N/A | N/A | ||
| AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix. | |||||
| CVE-2026-24413 | 2026-01-29 | N/A | N/A | ||
| Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | |||||
| CVE-2025-67230 | 1 Todesktop | 1 Builder | 2026-01-29 | N/A | 7.1 HIGH |
| Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. | |||||
| CVE-2026-0705 | 2026-01-29 | N/A | 6.7 MEDIUM | ||
| Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cloud Manager (Windows) before build 6.4.25342.354. | |||||
| CVE-2025-13905 | 2026-01-29 | N/A | N/A | ||
| CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart. | |||||
| CVE-2025-60262 | 1 H3c | 4 Magic Ba1500l, Magic Ba1500l Firmware, Mc102-g and 1 more | 2026-01-29 | N/A | 9.8 CRITICAL |
| An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices. | |||||
| CVE-2025-8098 | 1 Lenovo | 1 Pcmanager | 2026-01-27 | N/A | 7.8 HIGH |
| An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges. | |||||
| CVE-2025-39201 | 1 Hitachienergy | 1 Microscada X Sys600 | 2026-01-26 | N/A | 6.1 MEDIUM |
| A vulnerability exists in MicroSCADA X SYS600 product. If exploited this could allow a local unauthenticated attacker to tamper a system file, making denial of Notify service. | |||||
| CVE-2025-55132 | 2026-01-26 | N/A | 2.8 LOW | ||
| A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | |||||
| CVE-2021-47852 | 2026-01-26 | N/A | 8.8 HIGH | ||
| Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. Attackers can replace the RockstarService.exe with a malicious binary to create a new administrator user and gain elevated system access. | |||||
| CVE-2025-15523 | 2026-01-26 | N/A | N/A | ||
| MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker's malicious intent. This issue has been fixed in 1.4.3 version of Inkscape. | |||||