
CVE-2025-10226 – PostgreSQL Upgrade from v10 to v17.4 in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier to Address Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2025-10226
10 Sep 2025 — Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate privileges, execute arbitrary code, or cause denial-of-service via exploitation of multiple known CVEs present in PostgreSQL v10.x, which are resolved in PostgreSQL 17.4. Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One 2.0.8 and earlier on Windows... • https://www.axxonsoft.com/legal/axxonsoft-vulnerability-disclosure-policy/security-advisories • CWE-1395: Dependency on Vulnerable Third-Party Component •

CVE-2025-50892
https://notcve.org/view.php?id=CVE-2025-50892
10 Sep 2025 — The eudskacs.sys driver version 20250328 shipped with EaseUs Todo Backup 1.2.0.1 fails to properly validate privileges for I/O requests (IRP_MJ_READ/IRP_MJ_WRITE) sent to its device object. This allows a local, low-privileged attacker to perform arbitrary raw disk reads and writes, leading to sensitive information disclosure, denial of service, or local privilege escalation. • http://easeus.com • CWE-269: Improper Privilege Management •

CVE-2025-59042 – PyInstaller has local privilege escalation vulnerability
https://notcve.org/view.php?id=CVE-2025-59042
09 Sep 2025 — If the executable is running with elevated privileges (for example, due to having the `setuid` bit set), the code in the injected module is also executed with the said elevated privileges, resulting in a local privilege escalation. • https://github.com/pyinstaller/pyinstaller/commit/f5adf291c8b832d5aff7632844f7e3ddf7ad4923 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-58761 – Tautulli vulnerable to Unauthenticated Path Traversal in `real_pms_image_proxy`
https://notcve.org/view.php?id=CVE-2025-58761
09 Sep 2025 — If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. • https://github.com/Tautulli/Tautulli/commit/ec77a70aafc555e1aad0d9981f719d1200c117f1 • CWE-27: Path Traversal: 'dir/../../filename' •

CVE-2025-58760 – Tautulli vulnerable to Unauthenticated Path Traversal in `/image` endpoint
https://notcve.org/view.php?id=CVE-2025-58760
09 Sep 2025 — If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. • https://github.com/Tautulli/Tautulli/commit/47566128e2e5dde98980d59b7a51b98173bc0b40 • CWE-23: Relative Path Traversal •

CVE-2025-10199 – A local privilege escalation vulnerability exists in LizardBytes' Sunshine for Windows
https://notcve.org/view.php?id=CVE-2025-10199
09 Sep 2025 — A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path. • https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp • CWE-428: Unquoted Search Path or Element •

CVE-2025-40594
https://notcve.org/view.php?id=CVE-2025-40594
09 Sep 2025 — The affected devices allow a factory reset to be executed without the required privileges due to improper privilege management as well as manipulation of configuration data because of leaked privileges of previous sessions. This could allow an unauthorized attacker to escalate their privileges. • https://cert-portal.siemens.com/productcert/html/ssa-027652.html • CWE-269: Improper Privilege Management •

CVE-2025-42914 – Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)
https://notcve.org/view.php?id=CVE-2025-42914
09 Sep 2025 — Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. • https://me.sap.com/notes/3635587 • CWE-862: Missing Authorization •

CVE-2025-42913 – Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)
https://notcve.org/view.php?id=CVE-2025-42913
09 Sep 2025 — Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. • https://me.sap.com/notes/3635587 • CWE-862: Missing Authorization •

CVE-2025-58746 – Volkov Labs Business Links plugin vulnerable to privilege escalation attack
https://notcve.org/view.php?id=CVE-2025-58746
08 Sep 2025 — Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary administrative actions. • https://github.com/VolkovLabs/business-links/commit/9d203a6950de7860e11b25e4265ed8fe60082d7d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-83: Improper Neutralization of Script in Attributes in a Web Page •