By weakness (CWE)

CWE-732: related vulnerabilities

CVEs classified under CWE-732. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

6 published vulnerabilities

  • CVE-2026-10591HIGH 8.8

    Amazon Kiro IDE before version 0.11 contains a flaw in its file write functionality that fails to properly restrict which directories and files can be modified. An attacker can exploit this by sending specially crafted instructions that trick the IDE into writing files to sensitive paths—such as VS Code configuration files that execute automatically when a folder is opened. This could allow remote code execution without requiring the user to authenticate or take risky steps beyond opening a project folder.

  • CVE-2021-4480HIGH 8.2

    Dräger Protector Software before version 6.4.2 has a local privilege escalation flaw rooted in overly permissive file system permissions. An attacker with local access to an affected system can replace critical binaries or loaded modules, then trigger execution with NT SYSTEM privileges—the highest level of access on Windows. This gives an adversary complete control over the host.

  • CVE-2021-4481HIGH 8.2

    Dräger Protector Software versions prior to 6.4.2 suffer from a local privilege escalation flaw rooted in overly permissive file system permissions. An attacker with local access to an affected system can exploit this weakness to replace system binaries or loaded modules, ultimately executing arbitrary code with the highest privilege level (NT SYSTEM). This is a boots-on-the-ground attack: the attacker must have local file system access, but once they do, they can gain complete system control.

  • CVE-2026-27788HIGH 7.8

    ServerView Agents for Windows versions up to 11.60.04 contain a privilege escalation vulnerability rooted in improper file or resource permissions. Any local user with valid credentials on the affected server can exploit this flaw to gain SYSTEM-level access, effectively taking complete control of the system. The vulnerability requires no user interaction and affects all Windows deployments running the vulnerable software versions.

  • CVE-2026-10840HIGH 7.1

    A misconfiguration in the OpenShift Pipelines operator allows any authenticated user on a cluster to gain unauthorized control over workload scheduling and certificate management. The tekton-scheduler-rolebinding grants excessive permissions to all authenticated users, enabling them to disrupt job scheduling, alter priorities, delete other users' workloads, or manipulate TLS certificates—including those protecting ingress controllers. This is a privilege escalation issue that turns cluster authentication into a foothold for operational sabotage.

  • CVE-2026-10997MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how it enforces policies on extensions. An attacker could craft a malicious extension that, if installed by a user, would be able to bypass access controls that should normally restrict what the extension can do. This is a user-assisted attack—the victim must actively install the extension—but once installed, the extension gains unintended capabilities.