Security Vulnerabilities
Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches 'MySQL' or 'MariaDB' (or with write access to a binary referenced by such a service) to execute arbitrary code in the context of the Checkmk agent service, which typically runs as SYSTEM.
CVSS Score
5.2
EPSS Score
0.0
Published
2026-05-13
Incorrect privilege assignment in LocationManager prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
CVSS Score
5.1
EPSS Score
0.0
Published
2026-05-13
Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.
CVSS Score
6.8
EPSS Score
0.0
Published
2026-05-13
Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions.
CVSS Score
5.1
EPSS Score
0.0
Published
2026-05-13
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity.
CVSS Score
5.1
EPSS Score
0.0
Published
2026-05-13
Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
CVSS Score
6.9
EPSS Score
0.0
Published
2026-05-13
Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.
CVSS Score
6.8
EPSS Score
0.0
Published
2026-05-13
Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.
CVSS Score
9.1
EPSS Score
0.001
Published
2026-05-13
Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time.
This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
CVSS Score
5.3
EPSS Score
0.001
Published
2026-05-13
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.
This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
CVSS Score
7.7
EPSS Score
0.001
Published
2026-05-13