Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Saturday's vulnerability disclosures highlight significant risks across EV charging infrastructure, video-sharing platforms, and enterprise collaboration tools. The day brought 13 critical CVEs, a 59% decrease from the prior day's 32, alongside 100 high-priority vulnerabilities holding steady. Multiple OCPP charging infrastructure flaws (CVE-2026-22552, CVE-2026-26051, CVE-2026-26288) scored 9.4 CVSS, while CVE-2026-29058 affecting AVideo scored 9.8 and CVE-2026-2446 targeting a WordPress plugin also reached 9.8. Attack patterns span remote code execution and authentication bypass across HP applications, SiYuan, and Chamilo LMS, with 15 actively exploited vulnerabilities including flaws in Zimbra, GitLab, Roundcube Webmail, and VMware Aria Operations. No patches are currently available for disclosed vulnerabilities, requiring organizations to prioritize compensating controls and network segmentation.
Three OCPP EV charging infrastructure vulnerabilities (CVSS 9.4) expose charging stations to remote exploitation
13 critical CVEs disclosed, down 59% from prior day's 32; 100 high-priority CVEs unchanged
WordPress plugin flaw CVE-2026-2446 and AVideo platform flaw CVE-2026-29058 both score CVSS 9.8
Remote code execution and authentication bypass patterns dominate across HP, SiYuan, and Chamilo LMS
0% patch availability across all disclosed vulnerabilities requires immediate compensating controls
Immediate action: Organizations using OCPP-based EV charging infrastructure, AVideo, WordPress, and Chamilo LMS should implement network segmentation and access restrictions immediately as no patches are available. Review exposure to actively exploited vulnerabilities in Zimbra, GitLab, Roundcube Webmail, and VMware Aria Operations, applying any existing mitigations or workarounds until vendor patches are released.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2020-7796
9.5π Late Disclosure
SynacorZimbra Collaboration Suite
β° Federal Deadline:March 9, 2026(3 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2024-7694
9.5π Late Disclosure
TeamT5ThreatSonar Anti-Ransomware
β° Federal Deadline:March 9, 2026(3 days remaining)
TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2008-0015
9.5π Late Disclosure
MicrosoftWindows
β° Federal Deadline:March 9, 2026(3 days remaining)
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-2441
9.5π
GoogleChromium
β° Federal Deadline:March 9, 2026(3 days remaining)
Google Chrome is vulnerable to a "Use After Free" condition in its CSS engine, which could allow a remote attacker to execute arbitrary code via a crafted webpage.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2021-22175
9.5π Late Disclosure
GitLabGitLab
β° Federal Deadline:March 10, 2026(4 days remaining)
GitLab Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-49113
9.5
RoundcubeWebmail
β° Federal Deadline:March 12, 2026(6 days remaining)
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-68461
9.5
RoundcubeWebmail
β° Federal Deadline:March 12, 2026(6 days remaining)
RoundCube Webmail Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-25108
9.5π
Soliton Systems K.KFileZen
β° Federal Deadline:March 16, 2026(10 days remaining)
FileZen is affected by a high-severity OS command injection vulnerability that allows a threat actor to execute arbitrary commands on the underlying operating system.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-22719
9.5π
BroadcomVMware Aria Operations
β° Federal Deadline:March 23, 2026(17 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-21385
9.5π
QualcommMultiple Chipsets
β° Federal Deadline:March 23, 2026(17 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2017-7921
9.5π Late Disclosure
HikvisionMultiple Products
β° Federal Deadline:March 25, 2026(19 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2021-22681
9.5π Late Disclosure
RockwellMultiple Products
β° Federal Deadline:March 25, 2026(19 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-43000
9.5π Late Disclosure
AppleMultiple Products
β° Federal Deadline:March 25, 2026(19 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2021-30952
9.5π Late Disclosure
AppleMultiple Products
β° Federal Deadline:March 25, 2026(19 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-41974
9.5π Late Disclosure
AppleiOS and iPadOS
β° Federal Deadline:March 25, 2026(19 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-29789
9.9π
HPapplications into
Vito versions prior to 3.20.3 contain a missing authorization check in workflow site-creation actions, allowing authenticated attackers to manage sites on unauthorized servers.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-28501
9.8π
HPand objects
WWBN AVideo prior to 24.0 is vulnerable to an unauthenticated SQL injection in multiple components due to improper sanitization of JSON-formatted POST request bodies.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-29183
9.3π
SiYuanSiYuan
SiYuan versions prior to 3.5.9 contain an unauthenticated reflected XSS vulnerability in the dynamic icon API endpoint, allowing JavaScript execution via crafted SVG outputs.
CVSS Base9.3
β
CRSSelect profile
CVE-2026-2446
9.8π
WordPressplugin before
The PowerPack for LearnDash WordPress plugin before 1.3.0 lacks authorization and CSRF checks in an AJAX action, allowing unauthenticated users to create admin accounts.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-59542
9π
InforChamilo LMS
Chamilo LMS prior to 1.11.34 contains a stored XSS vulnerability in the learning path Settings field, allowing low-privileged trainers to hijack administrator accounts.
CVSS Base9
β
CRSSelect profile
CVE-2025-59543
9π
InforChamilo LMS
Chamilo LMS prior to 1.11.34 is vulnerable to stored XSS in the course description field, enabling authenticated trainers to capture administrator session tokens.
CVSS Base9
β
CRSSelect profile
CVE-2026-22552
9.4π
OCPP (Open Charge Point Protocol)WebSocket Endpoints
OCPP WebSocket endpoints lack authentication, allowing unauthenticated attackers to impersonate charging stations. This enables unauthorized control of charging infrastructure and data corruption.
CVSS Base9.4
β
CRSSelect profile
CVE-2026-26051
9.4π
UnknownOCPP Charging Infrastructure
Unauthenticated attackers can exploit missing authentication in WebSocket endpoints to impersonate charging stations and manipulate backend data via the OCPP protocol.
CVSS Base9.4
β
CRSSelect profile
CVE-2026-26288
9.4π
UnknownOCPP Charging Infrastructure
A lack of authentication in WebSocket endpoints allows unauthenticated attackers to impersonate charging stations, manipulate data, and issue unauthorized commands via the OCPP protocol.
CVSS Base9.4
β
CRSSelect profile
CVE-2026-29058
9.8π
AVideoVideo-sharing Platform
AVideo is vulnerable to unauthenticated command injection via the base64Url parameter. Attackers can execute arbitrary OS commands, leading to full server compromise.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-2331
9.8π
AppEngineFileaccess over HTTP
AppEngine's Fileaccess over HTTP feature lacks proper access restrictions, allowing unauthenticated read/write access to sensitive filesystem areas, including device parameters and Lua code.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-2330
9.4π
CROWNREST interface
The CROWN REST interface fails to enforce whitelists on internal testing directories. Unauthenticated attackers can upload manipulated parameter files to modify critical device settings.
CVSS Base9.4
β
CRSSelect profile
CVE-2026-28680
9.3π
GhostfolioGhostfolio
Ghostfolio versions prior to 2.245.0 are vulnerable to a full-read SSRF in the manual asset import feature, allowing attackers to exfiltrate cloud metadata and probe internal services.
CVSS Base9.3
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-26017
7.7
DNSMultiple Products
CoreDNS is a DNS server that chains plugins
CVSS Base7.7
β
CRSSelect profile
CVE-2026-25888
8.8π
ChartbrewChartbrew
Chartbrew, an open-source data visualization platform, contains a vulnerability that could allow unauthorized access to connected databases and APIs.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3459
8.1
WordPressis vulnerable
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28469
7.5π
GoogleChat monitor
A webhook routing vulnerability in OpenClaw's Google Chat monitor allows cross-account policy misrouting. Attackers can bypass allowlists by exploiting first-match request verification semantics.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-3589
7.5
WordPressplugin from
The WooCommerce WordPress plugin from versions 5
CVSS Base7.5
β
CRSSelect profile
CVE-2025-8899
8.8
WordPressis vulnerable
The Paid Videochat Turnkey Site β HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7
CVSS Base8.8
β
CRSSelect profile
CVE-2025-70616
7.8π
Diebold NixdorfwnBios64
A stack buffer overflow vulnerability in the Diebold Nixdorf (Wincor Nixdorf) wnBios64 component could allow for arbitrary code execution at the firmware level.
CVSS Base7.8
β
CRSSelect profile
CVE-2026-1720
8.8
WordPressis vulnerable
The WowOptin: Next-Gen Popup Maker β Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-29089
8.8
ArchMultiple Products
TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension
CVSS Base8.8
β
CRSSelect profile
CVE-2026-28681
8.1
databaseMultiple Products
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format
CVSS Base8.1
β
CRSSelect profile
CVE-2026-29091
8.1
LocutusMultiple Products
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes
CVSS Base8.1
β
CRSSelect profile
CVE-2018-25167
8.2π Late Disclosure
HPthat allows
Net-Billetterie 2
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25170
8.2π Late Disclosure
HPendpoint with
DoceboLMS 1
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25172
8.2π Late Disclosure
HPendpoint with
Pedidos 1
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25173
8.2π Late Disclosure
HPwith malicious
Rmedia SMS 1
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25175
8.2π Late Disclosure
HPwith SQL
Alienor Web Libre 2
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25182
8.2π Late Disclosure
HPwith crafted
Silurus Classifieds Script 2
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25189
8.2π Late Disclosure
HPthat allows
Data Center Audit 2
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25192
8.2π Late Disclosure
HPendpoint with
GPS Tracking System 2
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25194
8.2π Late Disclosure
HPendpoint with
Nominas 0
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25196
8.2π Late Disclosure
HPwith malicious
ServerZilla 1
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25197
8.2π Late Disclosure
HPwith option
PlayJoom 0
CVSS Base8.2
β
CRSSelect profile
CVE-2026-29093
8.1
HPto store
WWBN AVideo is an open source video platform
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28479
7.5
Dockerand browser
OpenClaw versions prior to 2026
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28429
7.5
HPcomponent can
Talishar is a fan-made Flesh and Blood project
CVSS Base7.5
β
CRSSelect profile
CVE-2018-25178
7.5π Late Disclosure
HPwith arbitrary
Easyndexer 1
CVSS Base7.5
β
CRSSelect profile
CVE-2026-29064
8.2π
KubernetesZarf
Zarf, an airgap native package manager for Kubernetes, contains a vulnerability that could compromise the integrity of package deployments in restricted environments.
CVSS Base8.2
β
CRSSelect profile
CVE-2026-29075
8.3π
Mesa ProjectMesa (Python Library)
The Mesa Python library for agent-based modeling contains a vulnerability that could allow for arbitrary code execution during the processing of simulation data.
CVSS Base8.3
β
CRSSelect profile
CVE-2026-28727
7.8
AcronisCyber Protect
Local privilege escalation due to insecure Unix socket permissions
CVSS Base7.8
β
CRSSelect profile
CVE-2026-28676
8.8
Archand generative
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI
CVSS Base8.8
β
CRSSelect profile
CVE-2025-70995
8.8
ASDKMultiple Products
An issue in Aranda Service Desk Web Edition (ASDK API 8
CVSS Base8.8
β
CRSSelect profile
CVE-2026-28683
8.7
sharingMultiple Products
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support
CVSS Base8.7
β
CRSSelect profile
CVE-2026-28677
8.2
Archand generative
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25166
8.2π Late Disclosure
Englishparameter
Meneame English Pligg 5
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25176
8.2π Late Disclosure
Aliveendpoint
Alive Parish 2
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25199
8.2π Late Disclosure
CMSparameter in
OOP CMS BLOG 1
CVSS Base8.2
β
CRSSelect profile
CVE-2025-70614
8.1
USSDMultiple Products
OpenCode Systems OC Messaging / USSD Gateway OC Release 6
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28405
8
UnknownMultiple Products
MarkUs is a web application for the submission and grading of student assignments
CVSS Base8
β
CRSSelect profile
CVE-2026-28392
7.5π
Slackslash
OpenClaw versions prior to 2026.2.14 contain a privilege escalation flaw in the Slack slash-command handler that allows unauthorized users to execute privileged commands via direct messages.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28454
7.5
priorwebhook mode
OpenClaw versions prior to 2026
CVSS Base7.5
β
CRSSelect profile
CVE-2026-26418
7.5
ReconMultiple Products
Missing authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client v3
CVSS Base7.5
β
CRSSelect profile
CVE-2026-26999
7.5
TraefikMultiple Products
Traefik is an HTTP reverse proxy and load balancer
CVSS Base7.5
β
CRSSelect profile
CVE-2026-29054
7.5
TraefikMultiple Products
Traefik is an HTTP reverse proxy and load balancer
CVSS Base7.5
β
CRSSelect profile
CVE-2018-25171
8.2π Late Disclosure
InforMultiple Products
EdTv 2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter
CVSS Base8.2
β
CRSSelect profile
CVE-2026-27749
7.8π
AMDInternet Security
Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component, potentially allowing for arbitrary code execution.
CVSS Base7.8
β
CRSSelect profile
CVE-2026-26416
8.8
ReconMultiple Products
An authorization bypass vulnerability in Tata Consultancy Services Cognix Recon Client v3
CVSS Base8.8
β
CRSSelect profile
CVE-2026-28210
8.8
UnknownMultiple Products
FreePBX is an open source IP PBX
CVSS Base8.8
β
CRSSelect profile
CVE-2026-28284
8.8
UnknownMultiple Products
FreePBX is an open source IP PBX
CVSS Base8.8
β
CRSSelect profile
CVE-2026-28287
8.8
UnknownMultiple Products
FreePBX is an open source IP PBX
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3047
8.8
UnknownMultiple Products
A flaw was found in org
CVSS Base8.8
β
CRSSelect profile
CVE-2026-29610
8.8
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2025-55289
8.8
ChamiloMultiple Products
Chamilo is a learning management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-29041
8.8
UnknownMultiple Products
Chamilo is a learning management system
CVSS Base8.8
β
CRSSelect profile
CVE-2025-15602
8.8
priorMultiple Products
Snipe-IT versions prior to 8
CVSS Base8.8
β
CRSSelect profile
CVE-2026-30223
8.8
UnknownMultiple Products
OliveTin gives access to predefined shell commands from a web interface
CVSS Base8.8
β
CRSSelect profile
CVE-2026-30823
8.8
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.8
β
CRSSelect profile
CVE-2026-30840
8.8
notificationMultiple Products
Wallos is an open-source, self-hostable personal subscription tracker
CVSS Base8.8
β
CRSSelect profile
CVE-2026-26022
8.7
UnknownMultiple Products
Gogs is an open source self-hosted Git service
CVSS Base8.7
β
CRSSelect profile
CVE-2026-26125
8.6
PaymentMultiple Products
Payment Orchestrator Service Elevation of Privilege Vulnerability
CVSS Base8.6
β
CRSSelect profile
CVE-2026-28679
8.6
UnknownMultiple Products
Home-Gallery
CVSS Base8.6
β
CRSSelect profile
CVE-2026-28442
8.5
UnknownMultiple Products
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI
CVSS Base8.5
β
CRSSelect profile
CVE-2026-30242
8.5
UnknownMultiple Products
Plane is an an open-source project management tool
CVSS Base8.5
β
CRSSelect profile
CVE-2026-28463
8.4
UnknownMultiple Products
OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via glob patterns or environment variables
CVSS Base8.4
β
CRSSelect profile
CVE-2026-28485
8.4
OpenClawMultiple Products
OpenClaw versions 2026
CVSS Base8.4
β
CRSSelect profile
CVE-2026-28451
8.3
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.3
β
CRSSelect profile
CVE-2026-28476
8.3
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.3
β
CRSSelect profile
CVE-2026-28787
8.2
UnknownMultiple Products
OneUptime is a solution for monitoring and managing online services
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25161
8.2π Late Disclosure
TrackingMultiple Products
Warranty Tracking System 11
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25163
8.2π Late Disclosure
ZoomMultiple Products
BitZoom 1
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25179
8.2π Late Disclosure
GumboMultiple Products
Gumbo CMS 0
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25187
8.2π Late Disclosure
UnknownMultiple Products
Tina4 Stack 1
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25188
8.2π Late Disclosure
WebinessMultiple Products
Webiness Inventory 2
CVSS Base8.2
β
CRSSelect profile
CVE-2026-26417
8.1
ReconMultiple Products
A broken access control vulnerability in the password reset functionality of Tata Consultancy Services Cognix Recon Client v3
CVSS Base8.1
β
CRSSelect profile
CVE-2026-3009
8.1
UnknownMultiple Products
A security flaw in the IdentityBrokerService
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28447
8.1
OpenClawMultiple Products
OpenClaw versions 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28458
8.1
OpenClawMultiple Products
OpenClaw version 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28472
8.1
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28473
8.1
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28710
8.1
LinuxMultiple Products
Sensitive information disclosure and manipulation due to improper authentication
CVSS Base8.1
β
CRSSelect profile
CVE-2025-59541
8.1
UnknownMultiple Products
Chamilo is a learning management system
CVSS Base8.1
β
CRSSelect profile
CVE-2026-27748
7.8π
AMDInternet Security
Avira Internet Security's Software Updater component contains an improper link resolution vulnerability that could allow for unauthorized file manipulation or privilege escalation.
CVSS Base7.8
β
CRSSelect profile
CVE-2026-27750
7.8
OptimizerMultiple Products
Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component
CVSS Base7.8
β
CRSSelect profile
CVE-2026-28393
7.7
OpenClawMultiple Products
OpenClaw versions 2
CVSS Base7.7
β
CRSSelect profile
CVE-2026-28468
7.7
OpenClawMultiple Products
OpenClaw versions 2026
CVSS Base7.7
β
CRSSelect profile
CVE-2026-30822
7.7
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.7
β
CRSSelect profile
CVE-2026-1605
7.5
UnknownMultiple Products
In Eclipse Jetty, versions 12
CVSS Base7.5
β
CRSSelect profile
CVE-2025-45691
7.5
UnknownMultiple Products
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28342
7.5
UnknownMultiple Products
OliveTin gives access to predefined shell commands from a web interface
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28789
7.5
UnknownMultiple Products
OliveTin gives access to predefined shell commands from a web interface
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28790
7.5
UnknownMultiple Products
OliveTin gives access to predefined shell commands from a web interface
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70949
7.5
InforMultiple Products
An observable timing discrepancy in @perfood/couch-auth v0
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28453
7.5
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28462
7.5
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28478
7.5
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base7.5
β
CRSSelect profile
CVE-2026-29609
7.5
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base7.5
β
CRSSelect profile
CVE-2026-29611
7.5
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base7.5
β
CRSSelect profile
CVE-2026-27778
7.5
UnknownMultiple Products
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests