Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Friday's vulnerability disclosures reveal 12 critical flaws concentrated across HP enterprise management systems, WordPress plugins, and LG mail security appliances. Critical CVE volume dropped 29% from Thursday's 17 to 12, while the 100 high-priority disclosures held steady. CVE-2026-31843 and CVE-2026-37345 (both CVSS 9.8) target HP payment and vehicle management platforms, while CVE-2026-6350 (CVSS 9.8) exposes LG MailGates and MailAudit to remote exploitation. Remote code execution and SQL injection patterns dominate the critical tier, with WordPress plugin vulnerabilities accounting for three of the top ten. No vendor patches are currently available for any disclosed CVE, and 9 vulnerabilities across Microsoft, Adobe, and Apache products have confirmed active exploitation.
HP enterprise platforms hit with 3 critical flaws (CVSS 9.1β9.8) across payment, parking, and payroll systems
Critical CVEs fell to 12, down 29% from Thursday's 17 disclosures
High-priority volume unchanged at 100 CVEs, maintaining elevated baseline
Patch availability at 0% β no fixes released for any of today's disclosed vulnerabilities
9 actively exploited CVEs spanning Microsoft Exchange, SharePoint, Windows, Adobe Acrobat, and Apache ActiveMQ
Immediate action: Prioritize compensating controls for HP enterprise management systems, WordPress installations, and LG MailGates/MailAudit deployments where no patches exist. Organizations running Microsoft Exchange Server, SharePoint, and Adobe Acrobat should verify mitigations against the 9 actively exploited vulnerabilities, several of which target legacy flaws dating back to 2009.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEV
CVE-2012-1854
9.5π Late Disclosure
MicrosoftVisual Basic for Applications (VBA)
β° Federal Deadline:April 26, 2026(10 days remaining)
Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-60710
9.5
MicrosoftWindows
β° Federal Deadline:April 26, 2026(10 days remaining)
Microsoft Windows Link Following Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-21529
9.5π Late Disclosure
MicrosoftExchange Server
β° Federal Deadline:April 26, 2026(10 days remaining)
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-36424
9.5π Late Disclosure
MicrosoftWindows
β° Federal Deadline:April 26, 2026(10 days remaining)
Microsoft Windows Out-of-Bounds Read Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2020-9715
9.5π Late Disclosure
AdobeAcrobat
β° Federal Deadline:April 26, 2026(10 days remaining)
Adobe Acrobat Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-34621
9.5π
AdobeAcrobat and Reader
β° Federal Deadline:April 26, 2026(10 days remaining)
Adobe Acrobat Reader is vulnerable to prototype pollution, which can result in arbitrary code execution when a victim opens a malicious file.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2009-0238
9.5π Late Disclosure
MicrosoftOffice
β° Federal Deadline:April 27, 2026(11 days remaining)
Microsoft Office Remote Code Execution - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-32201
9.5
MicrosoftSharePoint Server
β° Federal Deadline:April 27, 2026(11 days remaining)
Microsoft SharePoint Server Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-34197
9.5
ApacheActiveMQ
β° Federal Deadline:April 29, 2026(13 days remaining)
Apache ActiveMQ Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-31843
9.8π
HPpayment hook
The pay-uz Laravel package contains an unauthenticated remote code execution vulnerability via the /payment/api/editable/update endpoint.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-4880
9.8π
WordPressis vulnerable
The Barcode Scanner plugin for WordPress is vulnerable to privilege escalation via insecure token handling and lack of meta-key restrictions.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-3596
9.8π
WordPressis vulnerable
The Riaxe Product Customizer plugin for WordPress allows unauthenticated attackers to update arbitrary site options via an unprotected AJAX action.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-37345
9.8π
HPVehicle Parking Area Management System
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL injection via the 'manage_park.php' file.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-37338
9.4π
HPSimple Music Cloud Community System
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL injection via the 'view_user.php' file.
CVSS Base9.4
β
CRSSelect profile
CVE-2026-37347
9.1π
HPPayroll Management and Information System
SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL injection via the 'view_employee.php' file.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-6443
9.8π
WordPressis vulnerable
The Accordion and Accordion Slider plugin for WordPress version 1.4.6 contains a malicious backdoor injected by threat actors.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40322
9π
SiYuanSiYuan
SiYuan versions 3.6.3 and below are vulnerable to stored XSS in Mermaid diagrams, which can be escalated to arbitrary code execution on Electron-based desktop builds.
CVSS Base9
β
CRSSelect profile
CVE-2026-6350
9.8π
LGMailGates/MailAudit
Openfind MailGates/MailAudit is vulnerable to a stack-based buffer overflow, allowing unauthenticated remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40504
9.8π
Creolabs GravityGravity
Creolabs Gravity before 0.9.6 is vulnerable to a heap buffer overflow in the VM execution engine, allowing arbitrary code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40959
9.3π
LuantiLuanti
Luanti versions before 5.15.2 are vulnerable to a Lua sandbox escape when using LuaJIT, allowing a crafted mod to execute arbitrary code.
CVSS Base9.3
β
CRSSelect profile
CVE-2026-6270
9.1π
Fastify@fastify/middie
The @fastify/middie package fails to inherit middleware in child plugin scopes, leading to an authentication bypass for unauthenticated requests.
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-30778
7.5
ApacheSkyWalking
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL
CVSS Base7.5
β
CRSSelect profile
CVE-2026-23772
7.3
MicrosoftServers
Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8
CVSS Base7.3
β
CRSSelect profile
CVE-2026-6297
8.3
GoogleChrome prior
Use after free in Proxy in Google Chrome prior to 147
CVSS Base8.3
β
CRSSelect profile
CVE-2026-6299
8.8
GoogleChrome prior
Use after free in Prerender in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6300
8.8
GoogleChrome prior
Use after free in CSS in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6302
8.8
GoogleChrome prior
Use after free in Video in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6303
8.8
GoogleChrome prior
Use after free in Codecs in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6305
8.8
GoogleChrome prior
Heap buffer overflow in PDFium in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6306
8.8
GoogleChrome prior
Heap buffer overflow in PDFium in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6315
8.8
GoogleChrome on
Use after free in Permissions in Google Chrome on Android prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6316
8.8
GoogleChrome prior
Use after free in Forms in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6317
8.8
GoogleChrome prior
Use after free in Cast in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6318
8.8
GoogleChrome prior
Use after free in Codecs in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6358
8.8
GoogleChrome on
Use after free in XR in Google Chrome on Android prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6359
8.8
GoogleChrome on
Use after free in Video in Google Chrome on Windows prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6360
8.8
GoogleChrome prior
Use after free in FileSystem in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5050
7.5
GooglePay gateway
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7
CVSS Base7.5
β
CRSSelect profile
CVE-2026-6304
8.3
GoogleChrome prior
Use after free in Graphite in Google Chrome prior to 147
CVSS Base8.3
β
CRSSelect profile
CVE-2026-6309
8.3
GoogleChrome prior
Use after free in Viz in Google Chrome prior to 147
CVSS Base8.3
β
CRSSelect profile
CVE-2026-6310
8.3
GoogleChrome prior
Use after free in Dawn in Google Chrome prior to 147
CVSS Base8.3
β
CRSSelect profile
CVE-2026-6319
7.5
GoogleChrome on
Use after free in Payments in Google Chrome on Android prior to 147
CVSS Base7.5
β
CRSSelect profile
CVE-2026-6301
8.8
GoogleChrome prior
Type Confusion in Turbofan in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6307
8.8
GoogleChrome prior
Type Confusion in Turbofan in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6363
8.8
GoogleChrome prior
Type Confusion in V8 in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-1620
8.8
WordPressis vulnerable
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3599
7.5
WordPressis vulnerable
The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2
CVSS Base7.5
β
CRSSelect profile
CVE-2026-6311
8.3
GoogleChrome on
Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147
CVSS Base8.3
β
CRSSelect profile
CVE-2026-6314
8.3
GoogleChrome prior
Out of bounds write in GPU in Google Chrome prior to 147
CVSS Base8.3
β
CRSSelect profile
CVE-2026-34632
8.2
AdobePhotoshop Installer
Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user
CVSS Base8.2
β
CRSSelect profile
CVE-2026-40193
8.2
Oracleor via
maddy is a composable, all-in-one mail server
CVSS Base8.2
β
CRSSelect profile
CVE-2026-6308
7.5
GoogleChrome prior
Out of bounds read in Media in Google Chrome prior to 147
CVSS Base7.5
β
CRSSelect profile
CVE-2026-40245
7.5
projectFoundation project
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks
CVSS Base7.5
β
CRSSelect profile
CVE-2026-4659
7.5
WordPressis vulnerable
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2
CVSS Base7.5
β
CRSSelect profile
CVE-2026-5617
8.8
WordPressis vulnerable
The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3614
8.8
WordPressis vulnerable
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3643
7.2
WordPressis vulnerable
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3
CVSS Base7.2
β
CRSSelect profile
CVE-2026-3489
7.5
WordPressis vulnerable
The DirectoryPress β Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3
CVSS Base7.5
β
CRSSelect profile
CVE-2026-40261
8.8
HPMultiple Products
Composer is a dependency manager for PHP
CVSS Base8.8
β
CRSSelect profile
CVE-2025-14868
8.8
WordPressis vulnerable
The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-40176
7.8
HPMultiple Products
Composer is a dependency manager for PHP
CVSS Base7.8
β
CRSSelect profile
CVE-2026-30995
8.6
HPendpoint
Slah CMS v1
CVSS Base8.6
β
CRSSelect profile
CVE-2026-23853
8.4
DellPowerProtect Data
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7
CVSS Base8.4
β
CRSSelect profile
CVE-2026-32631
7.4
UnknownMultiple Products
Git for Windows is the Windows port of Git
CVSS Base7.4
β
CRSSelect profile
CVE-2026-30461
8.3
HPand the
Daylight Studio FuelCMS v1
CVSS Base8.3
β
CRSSelect profile
CVE-2026-30994
7.5
HPcomponent of
Incorrect access control in the config
CVSS Base7.5
β
CRSSelect profile
CVE-2026-30996
7.5
HPof SAC
An issue in the file handling logic of the component download
CVSS Base7.5
β
CRSSelect profile
CVE-2025-67841
7.5π
F5IronSide SE for nRF54H20
Nordic Semiconductor IronSide SE for nRF54H20 versions before 23 contain an unspecified vulnerability.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-37336
7.3
HPMultiple Products
SourceCodester Simple Music Cloud Community System v1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-37337
7.3
HPMultiple Products
SourceCodester Simple Music Cloud Community System v1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3324
8.2
ManageEngineLog360 versions
Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration
CVSS Base8.2
β
CRSSelect profile
CVE-2026-5785
8.1
PasswordPAM360 versions
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40745
7.6
bdthemes Element PackMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection
CVSS Base7.6
β
CRSSelect profile
CVE-2026-41015
7.4
radare2Multiple Products
radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP
CVSS Base7.4
β
CRSSelect profile
CVE-2026-40502
8.8
remoteMultiple Products
OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler
CVSS Base8.8
β
CRSSelect profile
CVE-2023-3634
8.8π Late Disclosure
UnknownMultiple Products
In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability
CVSS Base8.8
β
CRSSelect profile
CVE-2026-4145
7.8
LenovoSoftware Fix
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges
CVSS Base7.8
β
CRSSelect profile
CVE-2024-33618
7.5π Late Disclosure
CentralVMS Central
Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12
CVSS Base7.5
β
CRSSelect profile
CVE-2026-5807
7.5
Progressoperation slot
Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41035
7.4
Linuxplatforms are
In rsync 3
CVSS Base7.4
β
CRSSelect profile
CVE-2026-4134
7.3
LenovoSoftware Fix
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges
CVSS Base7.3
β
CRSSelect profile
CVE-2026-40744
8.5
Beaver Builder BeaverMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection
CVSS Base8.5
β
CRSSelect profile
CVE-2026-6351
7.5
LGMultiple Products
MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63029
7.6
WC Lovers WCFMMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection
CVSS Base7.6
β
CRSSelect profile
CVE-2025-40899
8.9
InforMultiple Products
A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter
CVSS Base8.9
β
CRSSelect profile
CVE-2026-34393
8.8
UnknownMultiple Products
Weblate is a web based localization tool
CVSS Base8.8
β
CRSSelect profile
CVE-2026-40316
8.8
GitHubMultiple Products
OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6348
8.8
UnknownMultiple Products
WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35569
8.7
SEOMultiple Products
ApostropheCMS is an open-source Node
CVSS Base8.7
β
CRSSelect profile
CVE-2026-40262
8.7
NoteMultiple Products
Note Mark is an open-source note-taking application
CVSS Base8.7
β
CRSSelect profile
CVE-2026-30617
8.6
itsMultiple Products
LangChain-ChatChat 0
CVSS Base8.6
β
CRSSelect profile
CVE-2026-30624
8.6
AgentMultiple Products
Agent Zero 0
CVSS Base8.6
β
CRSSelect profile
CVE-2026-22734
8.6
CloudMultiple Products
Cloud Foundry UUA isΒ vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems
CVSS Base8.6
β
CRSSelect profile
CVE-2026-40318
8.5
UnknownMultiple Products
SiYuan is an open-source personal knowledge management system
CVSS Base8.5
β
CRSSelect profile
CVE-2024-53412
8.4π Late Disclosure
NietThijmenMultiple Products
Command injection in the connect function in NietThijmen ShoppingCart 0
CVSS Base8.4
β
CRSSelect profile
CVE-2026-4857
8.4
IdentityIQMultiple Products
IdentityIQ 8
CVSS Base8.4
β
CRSSelect profile
CVE-2026-6442
8.3
priorMultiple Products
Improper validation of bash commands in Snowflake Cortex Code CLI versions prior to 1
CVSS Base8.3
β
CRSSelect profile
CVE-2025-40897
8.1π
IntelThreat Intelligence
An access control vulnerability in Intel's Threat Intelligence functionality allows users with view-only privileges to bypass intended restrictions.
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40764
8.1
Syed Balkhi ContactMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40784
8.1
Mahmudul Hasan ArifMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40960
8.1
LuantiMultiple Products
Luanti 5 before 5
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41113
8.1
qmailMultiple Products
sagredo qmail before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40259
8.1
UnknownMultiple Products
SiYuan is an open-source personal knowledge management system
CVSS Base8.1
β
CRSSelect profile
CVE-2026-3605
8.1
UnknownMultiple Products
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service
CVSS Base8.1
β
CRSSelect profile
CVE-2026-30615
8
WindsurfMultiple Products
A prompt injection vulnerability in Windsurf 1
CVSS Base8
β
CRSSelect profile
CVE-2026-6290
8
priorMultiple Products
Velociraptor versions prior to 0
CVSS Base8
β
CRSSelect profile
CVE-2026-33435
8
UnknownMultiple Products
Weblate is a web based localization tool
CVSS Base8
β
CRSSelect profile
CVE-2026-22676
7.8
priorMultiple Products
Barracuda RMM versions prior toΒ 2025
CVSS Base7.8
β
CRSSelect profile
CVE-2026-22619
7.8π
IntelIntelligent Power Protector (IPP)
Eaton Intelligent Power Protector (IPP) is vulnerable to insecure library loading, which could allow an attacker with local access to achieve arbitrary code execution.
CVSS Base7.8
β
CRSSelect profile
CVE-2026-34242
7.7
UnknownMultiple Products
Weblate is a web based localization tool
CVSS Base7.7
β
CRSSelect profile
CVE-2026-30364
7.5
UnknownMultiple Products
CentSDR commit e40795 was discovered to contain a stack overflow in the "Thread1" function
CVSS Base7.5
β
CRSSelect profile
CVE-2026-6372
7.5
Plisio AcceptMultiple Products
Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.5
β
CRSSelect profile
CVE-2024-2374
7.5π Late Disclosure
UnknownMultiple Products
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities
CVSS Base7.5
β
CRSSelect profile
CVE-2026-30656
7.5
UnknownMultiple Products
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3
CVSS Base7.5
β
CRSSelect profile
CVE-2026-40170
7.5
UnknownMultiple Products
ngtcp2 is a C implementation of the IETF QUIC protocol
CVSS Base7.5
β
CRSSelect profile
CVE-2026-4525
7.5
UnknownMultiple Products
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend
CVSS Base7.5
β
CRSSelect profile
CVE-2026-33667
7.4
UnknownMultiple Products
OpenProject is an open-source project management application