Critical vulnerabilities, curated daily for security professionals
๐ฏ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
๐
Today's Security Brief
Tuesday's vulnerability disclosures reveal 24 critical-severity CVEs predominantly affecting D-Link DIR routers, ZKTeco ZKBioSecurity access control systems, and HP products. Critical CVEs jumped from 0 to 24 compared to the prior day, while high-priority vulnerabilities rose 135% to 94. Notable critical entries include CVE-2026-32621 (CVSS 9.9) in Arch Federation, four D-Link DIR router vulnerabilities (CVE-2026-4181 through 4184, all CVSS 9.8), and CVE-2025-62319 (CVSS 9.8) affecting multiple vendors. Attack patterns center on remote code execution and authentication bypass across network infrastructure and physical security systems, with 13 vulnerabilities confirmed under active exploitation including Ivanti EPM, VMware Aria Operations, and Google Chrome components. No patches are currently available for disclosed vulnerabilities, requiring organizations to prioritize compensating controls and network segmentation.
Four D-Link DIR router vulnerabilities (CVE-2026-4181 through 4184) rated CVSS 9.8 โ network infrastructure devices requiring immediate isolation
24 critical CVEs disclosed, up from 0 the prior day โ significant spike in high-severity activity
94 high-priority CVEs represent a 135% increase over the prior day's 40 disclosures
Remote code execution and authentication bypass dominate attack patterns across ZKTeco access control, HP systems, and Arch Federation (CVE-2026-32621, CVSS 9.9)
0% patch availability across all disclosed vulnerabilities โ compensating controls are the primary mitigation option
13 actively exploited vulnerabilities include Ivanti EPM, VMware Aria Operations, Qualcomm chipsets, and Google Chrome components
Immediate action: Prioritize network segmentation for exposed D-Link DIR routers, ZKTeco ZKBioSecurity deployments, and Ivanti Endpoint Manager instances given active exploitation and lack of available patches. Review exposure to Google Chrome (CVE-2026-3910, CVE-2026-3909) and VMware Aria Operations (CVE-2026-22719) as these carry confirmed exploitation activity โ apply compensating controls and monitor vendor advisories for forthcoming patches.
๐ก Tip: Swipe CVE cards left to โญ star, right to โ remove
Section Navigation
โ ๏ธ
CISA Known Exploited Vulnerabilities
โ ๏ธ CISA KEVURGENT
CVE-2021-22054
9.5๐ Late Disclosure
OmnissaWorkspace One UEM
โฐ Federal Deadline:March 22, 2026(6 days remaining)
Omnissa Workspace ONE Server-Side Request Forgery - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEVURGENT
CVE-2026-1603
9.5
Ivanti Endpoint Manager (EPM)
โฐ Federal Deadline:March 22, 2026(6 days remaining)
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEVURGENT
CVE-2026-22719
9.5๐
BroadcomVMware Aria Operations
โฐ Federal Deadline:March 23, 2026(7 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEVURGENT
CVE-2026-21385
9.5๐
QualcommMultiple Chipsets
โฐ Federal Deadline:March 23, 2026(7 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-68613
9.5๐
n8nn8n
โฐ Federal Deadline:March 24, 2026(8 days remaining)
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2017-7921
9.5๐ Late Disclosure
HikvisionMultiple Products
โฐ Federal Deadline:March 25, 2026(9 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2021-22681
9.5๐ Late Disclosure
RockwellMultiple Products
โฐ Federal Deadline:March 25, 2026(9 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2023-43000
9.5๐ Late Disclosure
AppleMultiple Products
โฐ Federal Deadline:March 25, 2026(9 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2021-30952
9.5๐ Late Disclosure
AppleMultiple Products
โฐ Federal Deadline:March 25, 2026(9 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2023-41974
9.5๐ Late Disclosure
AppleiOS and iPadOS
โฐ Federal Deadline:March 25, 2026(9 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-3910
9.5๐
GoogleChromium V8
โฐ Federal Deadline:March 26, 2026(10 days remaining)
Google Chrome versions prior to 146 feature an inappropriate implementation in the V8 JavaScript engine that is currently being exploited in the wild to achieve code execution.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-3909
9.5๐
GoogleSkia
โฐ Federal Deadline:March 26, 2026(10 days remaining)
Google Chrome versions prior to 146 contain an out-of-bounds write vulnerability in the Skia graphics engine, which is currently being exploited in the wild.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-47813
9.5
Wing FTP ServerWing FTP Server
โฐ Federal Deadline:March 29, 2026(13 days remaining)
Wing FTP Server Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
๐จ
Critical Vulnerabilities
CVE-2016-20026
9.8๐๐ Late Disclosure
ArchZKBioSecurity
ZKTeco ZKBioSecurity 3.0 uses hardcoded credentials in its bundled Apache Tomcat server, allowing unauthenticated attackers to execute arbitrary code with SYSTEM privileges.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4170
9.8
HPof the
A weakness has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-32621
9.9๐
ArchFederation
A prototype pollution vulnerability in Apollo Federation's query plan execution allows attackers to pollute Object.prototype, potentially leading to remote code execution or denial of service.
CVSS Base9.9
โ
CRSSelect profile
CVE-2025-62319
9.8๐
Multiple VendorsMultiple Products
A Boolean-based SQL injection vulnerability allows unauthenticated attackers to manipulate backend configuration queries by injecting malicious SQL conditions into application input fields.
CVSS Base9.8
โ
CRSSelect profile
CVE-2016-20030
9.8๐๐ Late Disclosure
ZKTecoZKBioSecurity
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability in the authLoginAction!login.do script, allowing unauthenticated attackers to discover valid usernames.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-23489
9.1
HPcode from
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
CVSS Base9.1
โ
CRSSelect profile
CVE-2026-4181
9.8
D-LinkDIR
A security flaw has been discovered in D-Link DIR-816 1.10CNB05. This affects an unknown function of the file /goform/form2RepeaterStep2.cgi of the component goahead. The manipulation of the argument key1/key2/key3/key4/pskValue results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4182
9.8
D-LinkDIR
A weakness has been identified in D-Link DIR-816 1.10CNB05. This impacts an unknown function of the file /goform/form2Wl5RepeaterStep2.cgi of the component goahead. This manipulation of the argument key1/key2/key3/key4/pskValue causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4183
9.8
D-LinkDIR
A security vulnerability has been detected in D-Link DIR-816 1.10CNB05. Affected is an unknown function of the file /goform/form2WlanBasicSetup.cgi of the component goahead. Such manipulation of the argument pskValue leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4184
9.8
D-LinkDIR
A vulnerability was detected in D-Link DIR-816 1.10CNB05. Affected by this vulnerability is an unknown functionality of the file /goform/form2Wl5BasicSetup.cgi of the component goahead. Performing a manipulation of the argument pskValue results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4254
9.8
TendaAC8 up
A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4252
9.8
TendaAC8
A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-27962
9.1๐
authlibAuthlib
A JWK Header Injection vulnerability in Authlib's JWS implementation allows unauthenticated attackers to forge arbitrary JWT tokens by embedding a malicious public key in the header.
CVSS Base9.1
โ
CRSSelect profile
CVE-2017-20224
9.8๐๐ Late Disclosure
TelesquareSKT LTE Router SDT-CS3B1
An unauthenticated arbitrary file upload vulnerability in the Telesquare SDT-CS3B1 router allows attackers to execute remote code or delete files by exploiting enabled WebDAV HTTP methods.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-15060
9.8๐
claude-hovercraftclaude-hovercraft
A command injection vulnerability in the executeClaudeCode method of claude-hovercraft allows unauthenticated remote attackers to execute arbitrary code.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-32626
9.6๐
the chatAnythingLLM Desktop
A Streaming Phase XSS in AnythingLLM Desktop's chat pipeline escalates to Remote Code Execution (RCE) on the host OS due to insecure Electron configurations and lack of sanitization.
CVSS Base9.6
โ
CRSSelect profile
CVE-2017-20223
9.8๐๐ Late Disclosure
InforSKT LTE Router SDT-CS3B1
An Insecure Direct Object Reference (IDOR) vulnerability in Telesquare SDT-CS3B1 routers allows attackers to bypass authorization and access sensitive resources by manipulating input parameters.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4163
9.8๐
WavlinkWL-WN579A3
A command injection vulnerability in the SetName/GuestWifi function of Wavlink WL-WN579A3 firmware allows remote attackers to execute arbitrary commands via POST requests.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4164
9.8๐
WavlinkWL-WN578W2
Wavlink WL-WN578W2 firmware contains a command injection vulnerability in the Delete_Mac_list/SetName/GuestWifi functions, enabling remote attackers to execute arbitrary commands.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-4312
9.8๐
DrangSoftGCB/FCB Audit Software
A missing authentication vulnerability in DrangSoft GCB/FCB Audit Software allows unauthenticated remote attackers to create unauthorized administrative accounts via exposed APIs.
CVSS Base9.8
โ
CRSSelect profile
CVE-2016-20024
9.8๐๐ Late Disclosure
ZKTecoZKTime.Net
ZKTeco ZKTime.Net 3.0.1.6 contains insecure file permissions that allow unprivileged users to escalate privileges by replacing executable files with malicious binaries.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-69246
9.8๐
RaythaRaytha CMS
Raytha CMS lacks brute force protection, allowing unauthenticated attackers to perform unlimited automated login attempts without triggering lockouts or throttling.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-69809
9.8๐
p2r3Bareiron
A write-what-where condition in p2r3 Bareiron allows unauthenticated attackers to execute arbitrary code by sending a crafted packet that writes arbitrary values to memory.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-69808
9.1
InforMultiple Products
An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service (DoS) via supplying a crafted packet.
CVSS Base9.1
โ
CRSSelect profile
โ ๏ธ
High Priority Updates
CVE-2026-2579
7.5
WordPressis vulnerable
The WowStore โ Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the โsearchโ parameter in all versions up to, and including, 4
The NEX-Forms โ Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-4269
7.5
UnknownMultiple Products
A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0
A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-4212
8.8
D-LinkDNS
A security vulnerability has been detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-4213
8.8
D-LinkDNS
A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-4214
8.8
D-LinkDNS
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-4194
7.3
D-LinkDNS
A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4223
7.3
HPMultiple Products
A vulnerability was identified in itsourcecode Payroll Management System 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4235
7.3
HPMultiple Products
A weakness has been identified in itsourcecode Online Enrollment System 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4237
7.3
HPMultiple Products
A flaw has been found in itsourcecode Free Hotel Reservation System 1
GROWI OpenAI thread/message API endpoints do not perform authorization
CVSS Base8.3
โ
CRSSelect profile
CVE-2017-20218
7.8๐ Late Disclosure
Serviiopath vulnerability
Serviio PRO 1
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-4180
7.3
D-LinkDIR
A vulnerability was identified in D-Link DIR-816 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4193
7.3
D-LinkDIR
A security vulnerability has been detected in D-Link DIR-823G 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2017-20222
7.5๐ Late Disclosure
softwareMultiple Products
Telesquare SKT LTE Router SDT-CS3B1 software version 1
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-4190
7.3
UnknownMultiple Products
A vulnerability was detected in JawherKl node-api-postgres up to 2
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4191
7.3
UnknownMultiple Products
A flaw has been found in JawherKl node-api-postgres up to 2
CVSS Base7.3
โ
CRSSelect profile
CVE-2016-20025
8.8๐ Late Disclosure
ZKAccessMultiple Products
ZKTeco ZKAccess Professional 3
CVSS Base8.8
โ
CRSSelect profile
CVE-2016-20034
8.8๐ Late Disclosure
StreamingMultiple Products
Wowza Streaming Engine 4
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-69240
8.8
RaythaMultiple Products
Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-28519
8.8
beforeMultiple Products
arduino-TuyaOpen before version 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-4167
8.8
UnknownMultiple Products
A vulnerability was determined in Belkin F9K1122 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-4226
8.8
UnknownMultiple Products
A weakness has been identified in LB-LINK BL-WR9000 2
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-4227
8.8
UnknownMultiple Products
A security vulnerability has been detected in LB-LINK BL-WR9000 2
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-69784
8.8
theMultiple Products
A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-30881
8.8
statisticsMultiple Products
Chamilo LMS is a learning management system
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-32627
8.7
UnknownMultiple Products
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
CVSS Base8.7
โ
CRSSelect profile
CVE-2026-28520
8.4
beforeMultiple Products
arduino-TuyaOpen before version 1
CVSS Base8.4
โ
CRSSelect profile
CVE-2026-0708
8.3
UnknownMultiple Products
A flaw was found in libucl
CVSS Base8.3
โ
CRSSelect profile
CVE-2015-20120
8.2๐ Late Disclosure
VenturesMultiple Products
Next Click Ventures RealtyScript 4
CVSS Base8.2
โ
CRSSelect profile
CVE-2026-32600
8.2
UnknownMultiple Products
xml-security is a library that implements XML signatures and encryption
CVSS Base8.2
โ
CRSSelect profile
CVE-2026-32616
8.2
UnknownMultiple Products
Pigeon is a message board/notepad/social system/blog
CVSS Base8.2
โ
CRSSelect profile
CVE-2026-32729
8.1
UnknownMultiple Products
Runtipi is a personal homeserver orchestrator
CVSS Base8.1
โ
CRSSelect profile
CVE-2016-20033
7.8๐ Late Disclosure
StreamingMultiple Products
Wowza Streaming Engine 4
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-32708
7.8
UnknownMultiple Products
PX4 autopilot is a flight control solution for drones
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-3081
7.8
UnknownMultiple Products
GStreamer H
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-3084
7.8
UnknownMultiple Products
GStreamer H
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-3086
7.8
UnknownMultiple Products
GStreamer H
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-3476
7.8
fromMultiple Products
A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-28521
7.7
beforeMultiple Products
arduino-TuyaOpen before version 1
CVSS Base7.7
โ
CRSSelect profile
CVE-2026-2476
7.6
MattermostMultiple Products
Mattermost Plugins versions <=2
CVSS Base7.6
โ
CRSSelect profile
CVE-2013-20006
7.5๐ Late Disclosure
QoolMultiple Products
Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users
CVSS Base7.5
โ
CRSSelect profile
CVE-2017-20217
7.5๐ Late Disclosure
ServiioMultiple Products
Serviio PRO 1
CVSS Base7.5
โ
CRSSelect profile
CVE-2017-20220
7.5๐ Late Disclosure
ServiioMultiple Products
Serviio PRO 1
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-14287
7.5
UnknownMultiple Products
A command injection vulnerability exists in mlflow/mlflow versions before v3
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-24458
7.5
MattermostMultiple Products
Mattermost versions 11
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-2493
7.5
InforMultiple Products
IceWarp collaboration Directory Traversal Information Disclosure Vulnerability
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-32614
7.5
LGMultiple Products
Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-32775
7.4
libexifMultiple Products
libexif through 0
CVSS Base7.4
โ
CRSSelect profile
CVE-2026-4200
7.3
UnknownMultiple Products
A security flaw has been discovered in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4201
7.3
InforMultiple Products
A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4220
7.3
ManagementMultiple Products
A vulnerability has been found in Technologies Integrated Management Platform 7
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4221
7.3
ManagementMultiple Products
A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4231
7.3
UnknownMultiple Products
A vulnerability was found in vanna-ai vanna up to 2
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4232
7.3
ManagementMultiple Products
A vulnerability was determined in Tiandy Integrated Management Platform 7
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4236
7.3
EnrollmentMultiple Products
A security vulnerability has been detected in itsourcecode Online Enrollment System 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4287
7.3
ManagementMultiple Products
A security flaw has been discovered in Tiandy Easy7 Integrated Management Platform 7
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4288
7.3
ManagementMultiple Products
A weakness has been identified in Tiandy Easy7 Integrated Management Platform 7
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-4289
7.3
UnknownMultiple Products
A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7
CVSS Base7.3
โ
CRSSelect profile
CVE-2016-20032
7.2๐ Late Disclosure
SecurityMultiple Products
ZKTeco ZKAccess Security System 5
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-31386
7.2
UnknownMultiple Products
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-4172
7.2
UnknownMultiple Products
A vulnerability was detected in TRENDnet TEW-632BRP 1
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-26133
7.1
InforMultiple Products
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-32617
7.1
UnknownMultiple Products
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-32706
7.1
UnknownMultiple Products
PX4 autopilot is a flight control solution for drones
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-25369
7.1
FlexmlsMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flexmls Flexmlsยฎ IDX allows Reflected XSS