Common Weakness Enumeration

CWE-250

Allowed

Execution with Unnecessary Privileges

Abstraction: Base · Status: Draft

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

573 vulnerabilities reference this CWE, most recent first.

GHSA-7738-GQCF-GX4X

Vulnerability from github – Published: 2025-12-12 15:30 – Updated: 2026-06-04 09:30
VLAI
Details

Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the Database.This issue affects Nebim V3 ERP: from 2.0.59 before 3.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-12T13:15:43Z",
    "severity": "HIGH"
  },
  "details": "Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the Database.This issue affects Nebim V3 ERP: from 2.0.59 before 3.0.1.",
  "id": "GHSA-7738-gqcf-gx4x",
  "modified": "2026-06-04T09:30:33Z",
  "published": "2025-12-12T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13506"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0450"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0450"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78FM-6P6R-4VXR

Vulnerability from github – Published: 2025-10-17 03:33 – Updated: 2025-10-17 03:33
VLAI
Details

An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in broken access control has been identified in the /api/v1/setting/data endpoint of the affected device. This flaw allows a low-privileged authenticated user to call the API without the required permissions, thereby gaining the ability to access or modify system configuration data. Successful exploitation may lead to privilege escalation, allowing the attacker to access or modify sensitive system settings. While the overall impact is high, there is no loss of confidentiality or integrity within any subsequent systems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-17T03:15:36Z",
    "severity": "CRITICAL"
  },
  "details": "An Execution with Unnecessary Privileges vulnerability has been identified in Moxa\u2019s network security appliances and routers. A flaw in broken access control has been identified in the /api/v1/setting/data endpoint of the affected device. This flaw allows a low-privileged authenticated user to call the API without the required permissions, thereby gaining the ability to access or modify system configuration data. Successful exploitation may lead to privilege escalation, allowing the attacker to access or modify sensitive system settings. While the overall impact is high, there is no loss of confidentiality or integrity within any subsequent systems.",
  "id": "GHSA-78fm-6p6r-4vxr",
  "modified": "2025-10-17T03:33:49Z",
  "published": "2025-10-17T03:33:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6893"
    },
    {
      "type": "WEB",
      "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-2025-6893,-cve-2025-6894,-cve-2025-6949,-cve-2025-6950-multiple-vulnerabilities-in-netwo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7F48-JJJ6-53WV

Vulnerability from github – Published: 2026-01-30 09:30 – Updated: 2026-03-03 15:31
VLAI
Details

Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via direct communication with the LocalAdminService.exe named pipe, bypassing client-side group membership restrictions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T07:16:15Z",
    "severity": "HIGH"
  },
  "details": "Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via direct communication with the LocalAdminService.exe named pipe, bypassing client-side group membership restrictions.",
  "id": "GHSA-7f48-jjj6-53wv",
  "modified": "2026-03-03T15:31:36Z",
  "published": "2026-01-30T09:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1680"
    },
    {
      "type": "WEB",
      "url": "https://retest.dk/local-privilege-escalation-vulnerability-found-in-local-admin-service"
    },
    {
      "type": "WEB",
      "url": "https://www.danofficeit.com/howwedoit/workplace/management"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7FCJ-PQ9J-WH2R

Vulnerability from github – Published: 2020-01-16 22:18 – Updated: 2024-10-23 15:54
VLAI
Summary
Local Privilege Escalation in PyInstaller
Details

Impact

Local Privilege Escalation in all Windows software frozen by PyInstaller in "onefile" mode.

The vulnerability is present only on Windows and in this particular case: If a software frozen by PyInstaller in "onefile" mode is launched by a (privileged) user who has his/her "TempPath" resolving to a world writable directory. This is the case e.g. if the software is launched as a service or as a scheduled task using a system account (in which case TempPath will default to C:\Windows\Temp).

In order to be exploitable the software has to be (re)started after the attacker has launched the exploit program. So for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).

While PyInstaller itself was not vulnerable, all Windows software frozen by PyInstaller in "onefile" mode is vulnerable.

CVSSv3 score 7.0 (High) CVSSv3 vector CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected - all Windows software frozen by PyInstaller in "onefile" mode

No affected - PyInstaller itself (except if frozen by PyInstaller in "onefile" mode on Windows) - software frozen in "onedir" mode - other platforms (GNU/Linux, OS X, BSD, etc.)

Patches

The problem is patched in commits 42a67148b3bdf9211fda8499fdc5b63acdd7e6cc (fixed code) and be948cf0954707671aa499da17b10c86b6fa5e5c (recompiled bootloaders). Users should upgrade to PyInstaller version 3.6 and rebuild their software.

Workarounds

There is no known workaround. Users using PyInstaller to freeze their Windows software using "onefile" mode should upgrade PyInstaller and rebuild their software.

Credits

This vulnerability was discovered and reported by Farid AYOUJIL (@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from Alter Solutions (@AlterSolutions) and fixed in collaboration with Hartmut Goebel (@htgoebel, maintainer of PyInstaller).

Funding Development

PyInstaller is in urgent need of funding to make future security fixes happen, see https://github.com/pyinstaller/pyinstaller/issues/4404 for details.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "PyInstaller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-14T20:09:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nLocal Privilege Escalation in all Windows software frozen by PyInstaller in \"onefile\" mode.\n\nThe vulnerability is present only on Windows and in this particular case: If a **software frozen by PyInstaller in \"onefile\" mode** is launched by a (privileged) user who has **his/her \"TempPath\" resolving to a world writable directory**. This is the case e.g. if the software is launched as a service or as a scheduled task using a system account (in which case TempPath will default to C:\\Windows\\Temp).\n\nIn order to be exploitable the software has to be (re)started after the attacker has launched the exploit program. So for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).\n\nWhile PyInstaller itself was not vulnerable, all Windows software frozen by PyInstaller in \"onefile\" mode is vulnerable.\n\nCVSSv3 score 7.0 (High)\nCVSSv3 vector CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAffected\n- all Windows software frozen by PyInstaller in \"onefile\" mode\n\nNo affected\n- PyInstaller itself (except if frozen by PyInstaller in \"onefile\" mode on Windows)\n- software frozen in \"one*dir*\" mode\n- other platforms (GNU/Linux, OS X, BSD, etc.)\n\n### Patches\nThe problem is patched in commits 42a67148b3bdf9211fda8499fdc5b63acdd7e6cc (fixed code) and be948cf0954707671aa499da17b10c86b6fa5e5c (recompiled bootloaders). Users should upgrade to PyInstaller version 3.6 and rebuild their software.\n\n### Workarounds\nThere is no known workaround. Users using PyInstaller to freeze their Windows software using \"onefile\" mode should upgrade PyInstaller and rebuild their software.\n\n### Credits\nThis vulnerability was discovered and reported by Farid AYOUJIL (@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from Alter Solutions (@AlterSolutions) and fixed in collaboration with\nHartmut Goebel (@htgoebel, maintainer of PyInstaller).\n\n### Funding Development\n\nPyInstaller is in urgent need of funding to make future security fixes happen, see \u003chttps://github.com/pyinstaller/pyinstaller/issues/4404\u003e for details.",
  "id": "GHSA-7fcj-pq9j-wh2r",
  "modified": "2024-10-23T15:54:56Z",
  "published": "2020-01-16T22:18:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-7fcj-pq9j-wh2r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyinstaller/pyinstaller/commit/42a67148b3bdf9211fda8499fdc5b63acdd7e6cc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyinstaller/pyinstaller/commit/be948cf0954707671aa499da17b10c86b6fa5e5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyinstaller/pyinstaller"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyinstaller/PYSEC-2020-175.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Local Privilege Escalation in PyInstaller"
}

GHSA-7FJ9-687G-H53C

Vulnerability from github – Published: 2025-08-27 00:31 – Updated: 2025-08-27 15:33
VLAI
Details

In main of main.cpp, there is a possible way to bypass SELinux due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-26T23:15:32Z",
    "severity": "HIGH"
  },
  "details": "In main of main.cpp, there is a possible way to bypass SELinux due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-7fj9-687g-h53c",
  "modified": "2025-08-27T15:33:14Z",
  "published": "2025-08-27T00:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0078"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/native/+/c32d4defe0f4e5cad86437d6672de7a76caf1a79"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2025-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7P7C-646P-56RG

Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-15 15:30
VLAI
Details

A potential vulnerability was reported in PC Manager that could allow a local authenticated user to execute code with elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T15:16:06Z",
    "severity": "HIGH"
  },
  "details": "A potential vulnerability was reported in PC Manager that could allow a local authenticated user to execute code with elevated privileges.",
  "id": "GHSA-7p7c-646p-56rg",
  "modified": "2025-10-15T15:30:29Z",
  "published": "2025-10-15T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8486"
    },
    {
      "type": "WEB",
      "url": "https://iknow.lenovo.com.cn/detail/432378"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7PG5-V792-9XV2

Vulnerability from github – Published: 2024-12-11 18:30 – Updated: 2025-11-04 00:32
VLAI
Details

The www-data user can elevate its privileges because sudo is configured to allow the execution of the mount command as root without a password. Therefore, the privileges can be escalated to the root user. The risk has been accepted by the vendor and won't be fixed in the near future.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-11T16:15:09Z",
    "severity": "HIGH"
  },
  "details": "The www-data user can elevate its privileges because sudo is configured to allow the execution of the mount command as root without a password. Therefore, the privileges can be escalated to the root user. The risk has been accepted by the vendor and won\u0027t be fixed in the near future.",
  "id": "GHSA-7pg5-v792-9xv2",
  "modified": "2025-11-04T00:32:09Z",
  "published": "2024-12-11T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28139"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/imageaccess"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PJR-QPVH-M339

Vulnerability from github – Published: 2026-05-21 20:17 – Updated: 2026-06-10 18:42
VLAI
Summary
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables
Details

Summary

Before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context.

Affected component

  • pkg/builder/builder.go:254 — call site (exec.Command(buildCmd, buildArgs...)).
  • pkg/builder/builder.go:106 — input source: buildCmd, buildArgs = strings.Fields(req.BuildCommand)[0], strings.Fields(req.BuildCommand)[1:].

Impact

A subject with create / update privilege on Environment objects could:

  1. Cause the builder pod for any package using that environment to execute arbitrary code.
  2. Read whatever files the builder pod has access to inside its /packages shared volume (deployment archive payloads for that package).
  3. Write arbitrary content into the /packages shared volume, which the fetcher subsequently uploads as the package deployment archive.

The builder pod runs in the user's namespace with the fission-builder SA (not the more-privileged executor SA), so the impact is bounded to that namespace's package contents and the builder pod's own filesystem. PR:H reflects that creating / modifying Environment CRDs is typically restricted to cluster admins or platform operators.

Root cause

pkg/builder/builder.go's build-command parser did not validate the resulting executable path. Although exec.Command does not invoke a shell, it does locate the executable via $PATH, and strings.Fields splitting allowed multiple flags / sub-arguments to be passed.

Fix

Released in v1.23.0:

  • PR #3364 (commit 0f45c911) introduces Builder.resolveBuildCommand in pkg/builder/builder.go, which:
  • Accepts an empty string (treated as the default /build).
  • Accepts the literal /build.
  • Accepts any absolute path that survives filepath.Clean and contains no .. segments.
  • Rejects anything containing whitespace metacharacters or relative paths.
  • exec.Command still receives only the validated absolute path; sub-arguments continue to come from strings.Fields of the original string but are now passed positionally with no shell expansion.

Mitigation (until upgrade)

  1. Restrict who can create / update Environment CRDs to trusted operators only.
  2. Audit Environment.spec.builder.command values for any non-/build paths.
  3. Run the buildermgr with a tightened ServiceAccount that has no secret access in the builder namespace.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.22.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fission/fission"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250",
      "CWE-269",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:17:24Z",
    "nvd_published_at": "2026-06-10T18:17:05Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nBefore the round-1 security sweep, `pkg/builder/builder.go` passed `Environment.spec.builder.command` directly into `exec.Command(...)` after a `strings.Fields` split, with no validation of the executable path or its arguments. A user who could create or update `Environment` CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. `/bin/sh -c \u0027...\u0027`) and execute arbitrary code in the builder pod context.\n\n### Affected component\n\n- `pkg/builder/builder.go:254` \u2014 call site (`exec.Command(buildCmd, buildArgs...)`).\n- `pkg/builder/builder.go:106` \u2014 input source: `buildCmd, buildArgs = strings.Fields(req.BuildCommand)[0], strings.Fields(req.BuildCommand)[1:]`.\n\n### Impact\n\nA subject with `create` / `update` privilege on `Environment` objects could:\n\n1. Cause the builder pod for any package using that environment to execute arbitrary code.\n2. Read whatever files the builder pod has access to inside its `/packages` shared volume (deployment archive payloads for that package).\n3. Write arbitrary content into the `/packages` shared volume, which the fetcher subsequently uploads as the package deployment archive.\n\nThe builder pod runs in the user\u0027s namespace with the `fission-builder` SA (not the more-privileged executor SA), so the impact is bounded to that namespace\u0027s package contents and the builder pod\u0027s own filesystem. `PR:H` reflects that creating / modifying `Environment` CRDs is typically restricted to cluster admins or platform operators.\n\n### Root cause\n\n`pkg/builder/builder.go`\u0027s build-command parser did not validate the resulting executable path. Although `exec.Command` does not invoke a shell, it does locate the executable via `$PATH`, and `strings.Fields` splitting allowed multiple flags / sub-arguments to be passed.\n\n### Fix\n\nReleased in [v1.23.0](https://github.com/fission/fission/releases/tag/v1.23.0):\n\n- **PR #3364** (commit `0f45c911`) introduces `Builder.resolveBuildCommand` in `pkg/builder/builder.go`, which:\n  1. Accepts an empty string (treated as the default `/build`).\n  2. Accepts the literal `/build`.\n  3. Accepts any absolute path that survives `filepath.Clean` and contains no `..` segments.\n  4. Rejects anything containing whitespace metacharacters or relative paths.\n- `exec.Command` still receives only the validated absolute path; sub-arguments continue to come from `strings.Fields` of the original string but are now passed positionally with no shell expansion.\n\n### Mitigation (until upgrade)\n\n1. Restrict who can create / update `Environment` CRDs to trusted operators only.\n2. Audit `Environment.spec.builder.command` values for any non-`/build` paths.\n3. Run the buildermgr with a tightened ServiceAccount that has no secret access in the builder namespace.",
  "id": "GHSA-7pjr-qpvh-m339",
  "modified": "2026-06-10T18:42:10Z",
  "published": "2026-05-21T20:17:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/security/advisories/GHSA-7pjr-qpvh-m339"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/pull/3364"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fission/fission"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/releases/tag/v1.23.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables"
}

GHSA-7RVM-XJPP-63R9

Vulnerability from github – Published: 2026-06-08 18:21 – Updated: 2026-06-12 21:59
VLAI
Summary
actual Allows Electron to Run As Node
Details

Summary

A electron run as node vulnerability was identified in actual (macOS application, version 25.x (Electron 39.2.7)).

Vulnerability Type: Electron Run As Node

Description

ELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) — app can be converted to Node.js REPL for arbitrary code execution

Impact

An attacker who can place a file on disk or control command-line arguments can invoke the signed Actual.app binary with ELECTRON_RUN_AS_NODE=1 to execute arbitrary Node.js code inheriting the apps entitlements and code signature. This bypasses macOS Gatekeeper review of the payload: the Node.js script runs as Actual, under Actuals bundle ID and signed identity, and has access to any entitlements the app carries (network, file access, keychain, automation). Combined with any downloader (browser, mail attachment, Slack link) this becomes a signed-binary-abuse primitive on every Mac with Actual installed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "actual"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250",
      "CWE-693",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-08T18:21:26Z",
    "nvd_published_at": "2026-06-12T20:16:45Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA electron run as node vulnerability was identified in `actual` (macOS application, version `25.x (Electron 39.2.7)`).\n\n**Vulnerability Type:** Electron Run As Node\n\n## Description\n\nELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) \u2014 app can be converted to Node.js REPL for arbitrary code execution\n\n## Impact\n\nAn attacker who can place a file on disk or control command-line arguments can invoke the signed Actual.app binary with ELECTRON_RUN_AS_NODE=1 to execute arbitrary Node.js code inheriting the apps entitlements and code signature. This bypasses macOS Gatekeeper review of the payload: the Node.js script runs as Actual, under Actuals bundle ID and signed identity, and has access to any entitlements the app carries (network, file access, keychain, automation). Combined with any downloader (browser, mail attachment, Slack link) this becomes a signed-binary-abuse primitive on every Mac with Actual installed.",
  "id": "GHSA-7rvm-xjpp-63r9",
  "modified": "2026-06-12T21:59:55Z",
  "published": "2026-06-08T18:21:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-7rvm-xjpp-63r9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42890"
    },
    {
      "type": "WEB",
      "url": "https://actualbudget.org/blog/release-26.5.0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/actualbudget/actual"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "actual Allows Electron to Run As Node"
}

GHSA-7V9F-F4QV-FCXH

Vulnerability from github – Published: 2026-02-13 18:31 – Updated: 2026-02-13 18:31
VLAI
Details

Local privilege escalation in Genetec Sipelia Plugin. An authenticated low-privileged Windows user could exploit this vulnerability to gain elevated privileges on the affected system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-13T17:16:10Z",
    "severity": "MODERATE"
  },
  "details": "Local privilege escalation in Genetec Sipelia Plugin. An authenticated low-privileged Windows user could exploit this vulnerability to gain elevated privileges on the affected system.",
  "id": "GHSA-7v9f-f4qv-fcxh",
  "modified": "2026-02-13T18:31:25Z",
  "published": "2026-02-13T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1790"
    },
    {
      "type": "WEB",
      "url": "https://techdocs.genetec.com/r/en-US/Security-Updates-for-SipeliaTM-2.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:H/IR:H/AR:H/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:H/MVI:H/MVA:H/MSC:X/MSI:H/MSA:H/S:P/AU:N/R:X/V:C/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-18
Architecture and Design

Strategy: Separation of Privilege

Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.

Mitigation MIT-18
Architecture and Design

Strategy: Attack Surface Reduction

Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.

Mitigation
Implementation

Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.

Mitigation MIT-19
Implementation

When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.

Mitigation
Implementation

If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.

Mitigation MIT-37
Operation System Configuration

Strategy: Environment Hardening

Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-470: Expanding Control over the Operating System from the Database

An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.

CAPEC-69: Target Programs with Elevated Privileges

This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.