Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Monday's vulnerability disclosures are concentrated around Totolink A7100RU routers, which account for the majority of 14 critical-severity CVEs β a 56% increase from Sunday's 9 critical disclosures. High-priority CVEs declined to 54, down 27% from the prior day's 74. Multiple Totolink A7100RU flaws (CVE-2026-6112 through CVE-2026-6139) carry CVSS 9.8 scores, alongside CVE-2019-25709 affecting CF Image Hosting Script. Two vulnerabilities are confirmed actively exploited: CVE-2026-5281 in Google Dawn and CVE-2026-3502 in TrueConf Client, both rated CVSS 9.5. No patches are currently available for any of the 68 disclosed vulnerabilities, requiring defenders to prioritize network-level mitigations and access controls.
14 critical CVEs disclosed, up 56% from Sunday's 9 critical disclosures
54 high-priority CVEs reported, down 27% from the prior day's 74
Google Dawn (CVE-2026-5281) and TrueConf Client (CVE-2026-3502) confirmed actively exploited at CVSS 9.5
Patch availability at 0% across all 68 disclosures β no vendor fixes currently released
Immediate action: Organizations using Totolink A7100RU routers should restrict administrative access and isolate affected devices behind network segmentation until patches are available. Google Dawn and TrueConf Client users should monitor vendor channels for emergency updates given confirmed exploitation. With zero patches available, apply compensating controls including WAF rules, access restrictions, and enhanced monitoring for all affected products.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2026-5281
9.5π
GoogleDawn
β° Federal Deadline:April 14, 2026(2 days remaining)
A use-after-free vulnerability exists in the Dawn component of Google Chrome. This flaw allows attackers to potentially execute arbitrary code or cause a denial-of-service via a crafted HTML page.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-3502
9.5
TrueConfClient
β° Federal Deadline:April 15, 2026(3 days remaining)
TrueConf Client Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2019-25709
9.8ππ Late Disclosure
CFImage Hosting Script
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download the application database and delete images via plaintext IDs.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6112
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler via the maxRtrAdvInterval argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6113
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler via the ttyEnable argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6114
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler via the proto argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6115
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler via the enable argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6116
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler via the ip argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6131
9.8π
AcerTotolink A7100RU
Acer Totolink A7100RU is vulnerable to remote OS command injection via the setTracerouteCfg function in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6132
9.8π
TotolinkA7100RU
Totolink A7100RU allows remote unauthenticated attackers to execute arbitrary OS commands via the setLedCfg function in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6138
9.8π
TotolinkA7100RU
Totolink A7100RU is vulnerable to remote OS command injection via the setAccessDeviceCfg function in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6139
9.8π
TotolinkA7100RU
Totolink A7100RU contains an OS command injection vulnerability in the UploadOpenVpnCert function of the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6140
9.8π
TotolinkA7100RU
Totolink A7100RU is susceptible to remote OS command injection via the UploadFirmwareFile function in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6154
9.8π
TotolinkA7100RU
Totolink A7100RU allows remote OS command injection via the setWizardCfg function within the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6155
9.8π
TotolinkA7100RU
Totolink A7100RU is vulnerable to remote OS command injection via the setWanCfg function in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6156
9.8π
TotolinkA7100RU
Totolink A7100RU allows remote OS command injection via the setIpQosRules function in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2019-25697
8.2π Late Disclosure
HPwith malicious
CMSsite 1
CVSS Base8.2
β
CRSSelect profile
CVE-2019-25710
8.2π Late Disclosure
HPendpoint that
Dolibarr ERP-CRM 8
CVSS Base8.2
β
CRSSelect profile
CVE-2026-6161
7.3
HPof the
A vulnerability was determined in code-projects Simple ChatBox up to 1
CVSS Base7.3
β
CRSSelect profile
CVE-2019-25703
7.1π Late Disclosure
HPendpoint with
ImpressCMS 1
CVSS Base7.1
β
CRSSelect profile
CVE-2019-25707
7.1π Late Disclosure
HPwith crafted
eBrigade ERP 4
CVSS Base7.1
β
CRSSelect profile
CVE-2026-6142
7.3π
F5Hotel Management System
The Tushar Hotel Management System contains a security vulnerability that requires immediate attention.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6148
7.3π
HPVehicle Showroom Management System
A security vulnerability has been detected in version 1 of the Code-projects Vehicle Showroom Management System.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6149
7.3π
HPVehicle Showroom Management System
A security flaw has been identified in version 1 of the Code-projects Vehicle Showroom Management System, requiring immediate attention.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6151
7.3
HPMultiple Products
A vulnerability was found in code-projects Vehicle Showroom Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6152
7.3
HPMultiple Products
A vulnerability was determined in code-projects Vehicle Showroom Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6153
7.3
HPMultiple Products
A vulnerability was identified in code-projects Vehicle Showroom Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6163
7.3
HPMultiple Products
A vulnerability was identified in code-projects Lost and Found Thing Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6164
7.3
HPMultiple Products
A security flaw has been discovered in code-projects Lost and Found Thing Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6165
7.3
HPMultiple Products
A weakness has been identified in code-projects Vehicle Showroom Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6166
7.3
HPMultiple Products
A security vulnerability has been detected in code-projects Vehicle Showroom Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6167
7.3
HPMultiple Products
A vulnerability was detected in code-projects Faculty Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2019-25693
7.1π Late Disclosure
HPMultiple Products
ResourceSpace 8
CVSS Base7.1
β
CRSSelect profile
CVE-2026-25205
7.4
Samsung Open SourceOpen Source
Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows out-of-bounds write
CVSS Base7.4
β
CRSSelect profile
CVE-2026-6120
8.8
TendaF451
A vulnerability was detected in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6121
8.8
TendaF451
A flaw has been found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6122
8.8
TendaF451
A vulnerability has been found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6123
8.8
TendaF451
A vulnerability was found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6124
8.8
TendaF451
A vulnerability was determined in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6133
8.8
TendaF451
A vulnerability was identified in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6134
8.8
TendaF451
A security flaw has been discovered in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6135
8.8
TendaF451
A weakness has been identified in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6136
8.8
TendaF451
A security vulnerability has been detected in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6137
8.8
TendaF451
A vulnerability was detected in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-25208
8.1
Samsung Open SourceOpen Source
Integer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers
CVSS Base8.1
β
CRSSelect profile
CVE-2026-25207
7.4
Samsung Open SourceOpen Source
Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers
CVSS Base7.4
β
CRSSelect profile
CVE-2019-25699
7.1π Late Disclosure
Haberparameter that
Newsbull Haber Script 1
CVSS Base7.1
β
CRSSelect profile
CVE-2019-25706
7.5π Late Disclosure
InforMultiple Products
Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request
CVSS Base7.5
β
CRSSelect profile
CVE-2026-6157
8.8
TotolinkMultiple Products
A vulnerability was detected in Totolink A800R 4
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6168
8.8
TOTOLINKMultiple Products
A flaw has been found in TOTOLINK A7000R up to 9
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5936
8.5
theMultiple Products
An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations
CVSS Base8.5
β
CRSSelect profile
CVE-2018-25258
8.4π Late Disclosure
GUIMultiple Products
RGui 3
CVSS Base8.4
β
CRSSelect profile
CVE-2019-25689
8.4π Late Disclosure
VideoMultiple Products
HTML5 Video Player 1
CVSS Base8.4
β
CRSSelect profile
CVE-2019-25691
8.4π Late Disclosure
DesktopMultiple Products
Faleemi Desktop Software 1
CVSS Base8.4
β
CRSSelect profile
CVE-2019-25695
8.4ππ Late Disclosure
RR
A security vulnerability has been identified in the R programming language environment. Further technical details regarding the specific vector remain limited.
CVSS Base8.4
β
CRSSelect profile
CVE-2019-25701
8.4π Late Disclosure
iPodMultiple Products
Easy Video to iPod Converter 1
CVSS Base8.4
β
CRSSelect profile
CVE-2019-25705
8.4π Late Disclosure
EchoMultiple Products
Echo Mirage 3
CVSS Base8.4
β
CRSSelect profile
CVE-2026-1116
8.2π
ParisneoLollms
A Cross-site Scripting (XSS) vulnerability exists in the `from_dict` method of the `AppLollmsMessage` class in the Parisneo Lollms library.
CVSS Base8.2
β
CRSSelect profile
CVE-2026-40393
8.1
MesaMultiple Products
In Mesa before 25
CVSS Base8.1
β
CRSSelect profile
CVE-2026-34853
7.7
LBSMultiple Products
Permission bypass vulnerability in the LBS module
CVSS Base7.7
β
CRSSelect profile
CVE-2026-6105
7.3π
Perfreego-fastdfs-web
A security vulnerability has been identified in the Perfree go-fastdfs-web application, affecting all versions up to 1.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6110
7.3
InforMultiple Products
A vulnerability was identified in FoundationAgents MetaGPT up to 0
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6126
7.3
wechatMultiple Products
A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6129
7.3
InforMultiple Products
A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6130
7.3
InforMultiple Products
A flaw has been found in chatboxai chatbox up to 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-34856
7.3
communicationMultiple Products
UAF vulnerability in the communication module
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6158
7.3
TotolinkMultiple Products
A flaw has been found in Totolink N300RH 6
CVSS Base7.3
β
CRSSelect profile
CVE-2018-25257
7.1π Late Disclosure
AdiantiMultiple Products
Adianti Framework 5
CVSS Base7.1
β
CRSSelect profile
CVE-2019-25713
7.1π Late Disclosure
InforMultiple Products
MyT-PM 1
CVSS Base7.1
β
CRSSelect profile
CVE-2026-40436
7.1
InforMultiple Products
The ZTE ZXEDM iEMS product has a password reset vulnerability for any user