MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | 描述 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|
| CVE-2026-58054 | MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set. | 8.6 | 无 | 2026-06-27 | 2026-06-27 |
| CVE-2026-58053 | Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-opt unchanged. A user who can run a workflow on a Docker-backed runner can create a job container with host namespaces and broad capabilities and escape to the host as root despite privileged mode being | 9.4 | 无 | 2026-06-27 | 2026-06-27 |
| CVE-2026-12415 | The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the ema | 9.8 | 0.66% | 2026-06-27 | 2026-06-27 |
| CVE-2026-45256 | When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a | 5.5 | 0.09% | 2026-06-26 | 2026-06-26 |
| CVE-2026-52808 | Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call thes | 7.1 | 0.48% | 2026-06-24 | 2026-06-25 |
| CVE-2026-56245 | Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross-tenant billing manipulation. | 8.8 | 0.27% | 2026-06-24 | 2026-06-25 |
| CVE-2026-54319 | Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.186, a sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volume base directory. This vulnerability is fixed in 0.186. | 4.2 | 0.17% | 2026-06-23 | 2026-06-24 |
| CVE-2026-56225 | Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials. | 8.7 | 0.29% | 2026-06-23 | 2026-06-23 |
| CVE-2026-54099 | A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges a | 8.8 | 0.07% | 2026-06-22 | 2026-06-23 |
| CVE-2026-8157 | The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator. | 8.8 | 0.24% | 2026-06-22 | 2026-06-22 |
| CVE-2026-56239 | Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.apply_usage_overage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks (no validation of auth.uid(), org membership, or check_min_rights). Because the function runs with the owner's privileges, it bypasses Row Level Security. If EXECUTE permission is available to the authenticated or anon roles (explicitly or via default privileges), an a | 7.2 | 0.20% | 2026-06-21 | 2026-06-24 |
| CVE-2026-56216 | Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resources like app listings and other protected endpoints. | 8.7 | 0.25% | 2026-06-19 | 2026-06-22 |
| CVE-2026-56212 | Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's 2FA status before allowing the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and lockout risk for team members. | 5.1 | 0.21% | 2026-06-19 | 2026-06-22 |
| CVE-2026-50201 | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mappeds to Cloud Foundry's `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and th | 6.5 | 0.23% | 2026-06-17 | 2026-06-22 |
| CVE-2026-20246 | A vulnerability in the vmadmin CLI of Cisco Umbrella Virtual Appliance could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied commands. An attacker with vmadmin privileges could exploit this vulnerability by using certain commands at the CLI. A successful exploit could allow the attacker to elevate privileges to root. | 6.0 | 0.10% | 2026-06-17 | 2026-06-22 |
| CVE-2026-54415 | Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}). | 8.6 | 0.35% | 2026-06-17 | 2026-06-17 |
| CVE-2026-12450 | Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 6.5 | 0.22% | 2026-06-17 | 2026-06-17 |
| CVE-2026-12448 | Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High) | 8.8 | 0.26% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12165 | The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_ | 8.8 | 0.41% | 2026-06-17 | 2026-06-17 |
| CVE-2026-0063 | In setAllowedCarriers of PhoneInterfaceManager.java, there is a possible way to disable carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 10.0 | 0.24% | 2026-06-17 | 2026-06-18 |