Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Saturday's vulnerability disclosures highlight critical flaws across enterprise infrastructure, with Oracle Identity Manager (CVE-2026-21992, CVSS 9.8), WordPress (CVE-2026-3584, CVSS 9.8), and SiYuan (CVE-2026-32938, CVSS 9.9) among the most severe. The day saw 20 critical vulnerabilities, down 35% from Friday's 31, while 100 high-priority CVEs remained steady. Cisco Secure Firewall Management Center (CVE-2026-20131), Ivanti Endpoint Manager (CVE-2026-1603), and Broadcom VMware Aria Operations (CVE-2026-22719) are confirmed under active exploitation. Google Chrome V8 and Skia components also have actively exploited flaws, alongside legacy vulnerabilities in Apple and Hikvision products resurfacing in exploit activity. No patches are currently available for the disclosed vulnerabilities, requiring defenders to prioritize compensating controls and monitoring.
SiYuan note-taking platform carries the highest severity score at CVSS 9.9, with Oracle Identity Manager and WordPress both rated 9.8
20 critical CVEs disclosed, a 35% decrease from Friday's 31 critical vulnerabilities
100 high-priority CVEs remain consistent with the prior day's volume
Remote code execution and authentication bypass dominate attack patterns across HP endpoints, Arch Xerte Online Toolkits, and Discord bot integrations
Patch availability stands at 0% â no vendor fixes are currently released for Saturday's disclosures
20 vulnerabilities are confirmed actively exploited, up 25% from Friday, spanning Cisco, Ivanti, Google Chrome, Apple, and Qualcomm
Immediate action: Prioritize network-level mitigations for Cisco FMC, Ivanti EPM, and VMware Aria Operations environments where active exploitation is confirmed. With 0% patch availability, implement compensating controls including network segmentation, enhanced logging, and access restrictions for affected systems â particularly Oracle Identity Manager and WordPress deployments â until vendor patches are released.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-20131
9.5đ
CiscoSecure Firewall Management Center (FMC)
â° Federal Deadline:March 21, 2026(1 days remaining)
A critical insecure deserialization flaw in the Cisco FMC web interface allows unauthenticated remote attackers to execute arbitrary Java code with root privileges via crafted serial objects.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-22054
9.5đ Late Disclosure
OmnissaWorkspace One UEM
â° Federal Deadline:March 22, 2026(2 days remaining)
Omnissa Workspace ONE Server-Side Request Forgery - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-1603
9.5
Ivanti Endpoint Manager (EPM)
â° Federal Deadline:March 22, 2026(2 days remaining)
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-22719
9.5đ
BroadcomVMware Aria Operations
â° Federal Deadline:March 23, 2026(3 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21385
9.5đ
QualcommMultiple Chipsets
â° Federal Deadline:March 23, 2026(3 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-68613
9.5đ
n8nn8n
â° Federal Deadline:March 24, 2026(4 days remaining)
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2017-7921
9.5đ Late Disclosure
HikvisionMultiple Products
â° Federal Deadline:March 25, 2026(5 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-22681
9.5đ Late Disclosure
RockwellMultiple Products
â° Federal Deadline:March 25, 2026(5 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-43000
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(5 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-30952
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(5 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-41974
9.5đ Late Disclosure
AppleiOS and iPadOS
â° Federal Deadline:March 25, 2026(5 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3910
9.5đ
GoogleChromium V8
â° Federal Deadline:March 26, 2026(6 days remaining)
Google Chrome versions prior to 146 feature an inappropriate implementation in the V8 JavaScript engine that is currently being exploited in the wild to achieve code execution.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3909
9.5đ
GoogleSkia
â° Federal Deadline:March 26, 2026(6 days remaining)
Google Chrome versions prior to 146 contain an out-of-bounds write vulnerability in the Skia graphics engine, which is currently being exploited in the wild.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-47813
9.5
Wing FTP ServerWing FTP Server
â° Federal Deadline:March 29, 2026(9 days remaining)
Wing FTP Server Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66376
9.5
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:March 31, 2026(11 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-32432
9.5
Craft CMSCraft CMS
â° Federal Deadline:April 2, 2026(13 days remaining)
Craft CMS Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54068
9.5
LaravelLivewire
â° Federal Deadline:April 2, 2026(13 days remaining)
Laravel Livewire Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43510
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(13 days remaining)
Apple Multiple Products Improper Locking Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43520
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(13 days remaining)
Apple Multiple Products Classic Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-31277
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(13 days remaining)
Apple Multiple Products Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-33134
9.3đ
HPendpoint
WeGIA versions 3.6.5 and below contain an authenticated SQL injection vulnerability in the restaurar_produto.php endpoint, potentially leading to full database compromise.
CVSS Base9.3
â
CRSSelect profile
CVE-2026-33135
9.3đ
HPendpoint
WeGIA versions 3.6.6 and below are vulnerable to Reflected Cross-Site Scripting (XSS) in the novo_memorandoo.php endpoint, allowing arbitrary JavaScript execution in user browsers.
CVSS Base9.3
â
CRSSelect profile
CVE-2026-33136
9.3đ
HPendpoint
A Reflected XSS vulnerability in WeGIA's listar_memorandos_ativos.php endpoint allows attackers to inject malicious JavaScript via the sccd GET parameter.
CVSS Base9.3
â
CRSSelect profile
CVE-2026-32767
9.8đ
Archendpoint bypasses
SiYuan versions 3.6.0 and below contain an authorization bypass in the search endpoint, allowing authenticated users to execute arbitrary SQL statements against the underlying SQLite database.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-3584
9.8đ
WordPressis vulnerable
The Kali Forms WordPress plugin is vulnerable to Remote Code Execution (RCE) via the form_process function, allowing unauthenticated attackers to execute arbitrary code.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32938
9.9đ
SiYuanSiYuan
SiYuan versions 3.6.0 and below are vulnerable to path traversal and sensitive file exfiltration via improper validation of file:// links in pasted HTML.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-32985
9.8đ
ArchXerte Online Toolkits
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability, enabling remote code execution via malicious ZIP archives.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-21992
9.8đ
OracleIdentity Manager
A critical vulnerability in Oracle Identity Manager and Web Services Manager allows unauthenticated network-based takeover via HTTP.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32890
9.6đ
Discordbot for
Anchorr versions 1.4.1 and below suffer from a stored XSS vulnerability in the User Mapping dropdown, enabling unauthenticated attackers to exfiltrate critical secrets and API keys.
CVSS Base9.6
â
CRSSelect profile
CVE-2026-32817
9.1đ
HPonly perform
Admidio versions 5.0.0 through 5.0.6 fail to validate delete permissions and CSRF tokens in the documents module, allowing unauthenticated or low-privileged users to delete files.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-32940
9.3đ
SiYuanSiYuan
SiYuan versions 3.6.0 and below contain a click-through XSS vulnerability in the dynamic icon API due to incomplete SVG sanitization.
CVSS Base9.3
â
CRSSelect profile
CVE-2026-32891
9đ
Discordbot for
Anchorr versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector, allowing for full administrative session takeover and service-wide credential theft.
CVSS Base9
â
CRSSelect profile
CVE-2026-4038
9.8đ
WordPressis vulnerable
The Aimogen Pro plugin for WordPress allows unauthenticated arbitrary function calls. Attackers can exploit this to change the default user role to administrator and gain full site control.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33186
9.1đ
GooglegRPC-Go
gRPC-Go versions prior to 1.79.3 are vulnerable to an authorization bypass due to improper input validation of HTTP/2 :path pseudo-headers, allowing attackers to circumvent path-based security rules.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-33057
9.8đ
MesopMesop
Mesop versions 1.2.2 and below contain an unauthenticated remote code execution (RCE) vulnerability in a debugging endpoint within the AI testing module.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33054
10đ
MesopMesop
Mesop versions 1.2.2 and below are vulnerable to path traversal, allowing unauthorized users to manipulate or delete arbitrary files on the host disk.
CVSS Base10
â
CRSSelect profile
CVE-2026-22172
9.9đ
OpenClaw versionsOpenClaw
OpenClaw versions prior to 2026.3.12 suffer from an authorization bypass in the WebSocket path, allowing authenticated users to self-declare administrative privileges.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-25192
9.4đ
OCPP InfrastructureWebSocket Endpoint
WebSocket endpoints in OCPP-compliant charging infrastructure lack authentication, allowing unauthenticated attackers to impersonate charging stations and manipulate backend data.
CVSS Base9.4
â
CRSSelect profile
CVE-2026-29796
9.4đ
OCPP InfrastructureWebSocket Endpoint
A critical authentication flaw in OCPP WebSocket endpoints allows unauthenticated attackers to impersonate charging stations and manipulate backend commands and data.
CVSS Base9.4
â
CRSSelect profile
CVE-2026-24060
9.1đ
InforWebCTRL / BACnet
Service information in WebCTRL is transmitted unencrypted over BACnet, allowing attackers to sniff, intercept, and modify sensitive PLC update data and file positions.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-4456
8.8
GoogleChrome prior
Use after free in Digital Credentials API in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-22324
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-4441
8.8
GoogleChrome prior
Use after free in Base in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4442
8.8
GoogleChrome prior
Heap buffer overflow in CSS in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4443
8.8
GoogleChrome prior
Heap buffer overflow in WebAudio in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4444
8.8
GoogleChrome prior
Stack buffer overflow in WebRTC in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4445
8.8
GoogleChrome prior
Use after free in WebRTC in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4446
8.8
GoogleChrome prior
Use after free in WebRTC in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4448
8.8
GoogleChrome prior
Heap buffer overflow in ANGLE in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4449
8.8
GoogleChrome prior
Use after free in Blink in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4454
8.8
GoogleChrome prior
Use after free in Network in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4455
8.8
GoogleChrome prior
Heap buffer overflow in PDFium in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4458
8.8
GoogleChrome prior
Use after free in Extensions in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4463
8.8
GoogleChrome prior
Heap buffer overflow in WebRTC in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4439
8.8
GoogleChrome on
Out of bounds memory access in WebGL in Google Chrome on Android prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4440
8.8
GoogleChrome prior
Out of bounds read and write in WebGL in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4447
8.8
GoogleChrome prior
Inappropriate implementation in V8 in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4450
8.8
GoogleChrome prior
Out of bounds write in V8 in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4451
8.8
GoogleChrome prior
Insufficient validation of untrusted input in Navigation in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4452
8.8
GoogleChrome on
Integer overflow in ANGLE in Google Chrome on Windows prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4457
8.8
GoogleChrome prior
Type Confusion in V8 in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4459
8.8
GoogleChrome prior
Out of bounds read and write in WebAudio in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4460
8.8
GoogleChrome prior
Out of bounds read in Skia in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4461
8.8
GoogleChrome prior
Inappropriate implementation in V8 in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4462
8.8
GoogleChrome prior
Out of bounds read in Blink in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4464
8.8
GoogleChrome prior
Integer overflow in ANGLE in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32888
8.8
Archfunctionality
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework
CVSS Base8.8
â
CRSSelect profile
CVE-2026-23658
8.6
AzureDevOps allows
Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.6
â
CRSSelect profile
CVE-2026-23659
8.6
AzureData Factory
Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network
CVSS Base8.6
â
CRSSelect profile
CVE-2026-26138
8.6
MicrosoftPurview allows
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.6
â
CRSSelect profile
CVE-2026-26139
8.6
MicrosoftPurview allows
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.6
â
CRSSelect profile
CVE-2026-32710
8.5
MariaDBserver
MariaDB server is a community developed fork of MySQL server
CVSS Base8.5
â
CRSSelect profile
CVE-2026-32763
8.2
MySQLand SQLite
Kysely is a type-safe TypeScript SQL query builder
CVSS Base8.2
â
CRSSelect profile
CVE-2026-29096
8.1
MySQLwith FILE
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.1
â
CRSSelect profile
CVE-2026-3334
8.8
WordPressis vulnerable
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4261
8.8
WordPressis vulnerable
The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33226
8.7
KubernetesAPIs
Budibase is a low code platform for creating internal tools, workflows, and admin panels
CVSS Base8.7
â
CRSSelect profile
CVE-2026-26137
8.9đ
Microsoft365 Copilot Business Chat
A Server-Side Request Forgery (SSRF) vulnerability in Microsoft 365 Copilot's Business Chat allows an authenticated attacker to elevate privileges across a network.
CVSS Base8.9
â
CRSSelect profile
CVE-2026-2941
8.8
WordPressis vulnerable
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-1313
8.3
WordPressis vulnerable
The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3
CVSS Base8.3
â
CRSSelect profile
CVE-2025-14037
8.1
WordPressis vulnerable
The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1
CVSS Base8.1
â
CRSSelect profile
CVE-2026-4342
8.8
Nginxwhere
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32756
8.8
HPscripts
Admidio is an open-source user management solution
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33039
8.6
HPendpoint validates
WWBN AVideo is an open source video platform
CVSS Base8.6
â
CRSSelect profile
CVE-2026-32317
7.6
transparentMultiple Products
Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud
CVSS Base7.6
â
CRSSelect profile
CVE-2026-32318
7.6
transparentMultiple Products
Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud
CVSS Base7.6
â
CRSSelect profile
CVE-2026-33037
8.1
Dockerdeployment files
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33038
8.1
HPendpoint
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33043
8.1
HPexposes the
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33236
8.1
Archand development
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing
CVSS Base8.1
â
CRSSelect profile
CVE-2026-29099
8.8
HPMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33346
8.7
HPMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.7
â
CRSSelect profile
CVE-2026-32808
8.1
downloadMultiple Products
pyLoad is a free and open-source download manager written in Python
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33289
8.8
Archfilter
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4486
8.8
D-LinkDIR
A vulnerability was found in D-Link DIR-513 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4489
8.8
TendaA18 Pro
A vulnerability was detected in Tenda A18 Pro 02
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4490
8.8
TendaA18 Pro
A flaw has been found in Tenda A18 Pro 02
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4491
8.8
TendaA18 Pro
A vulnerability has been found in Tenda A18 Pro 02
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4492
8.8
TendaA18 Pro
A vulnerability was found in Tenda A18 Pro 02
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4493
8.8
TendaA18 Pro
A vulnerability was determined in Tenda A18 Pro 02
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32711
7.8
UnknownMultiple Products
pydicom is a pure Python package for working with DICOM files
CVSS Base7.8
â
CRSSelect profile
CVE-2026-25086
7.7
UnderMultiple Products
Under certain conditions, an attacker could bind to the same port used
by WebCTRL
CVSS Base7.7
â
CRSSelect profile
CVE-2026-33150
7.8
LinuxFUSE
libfuse is the reference implementation of the Linux FUSE
CVSS Base7.8
â
CRSSelect profile
CVE-2026-32811
8.2
UnknownMultiple Products
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service
CVSS Base8.2
â
CRSSelect profile
CVE-2026-27625
8.1
UnknownMultiple Products
Stirling-PDF is a locally hosted web application that performs various operations on PDF files
CVSS Base8.1
â
CRSSelect profile
CVE-2026-25445
8.8
Membership SoftwareMultiple Products
Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-22731
8.2
SpringMultiple Products
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path
CVSS Base8.2
â
CRSSelect profile
CVE-2026-22733
8.2
SpringMultiple Products
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints
CVSS Base8.2
â
CRSSelect profile
CVE-2026-22558
7.7
UnknownMultiple Products
An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges
CVSS Base7.7
â
CRSSelect profile
CVE-2025-71260
8.8
ITSMMultiple Products
BMC FootPrints ITSM versions 20
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32013
8.8
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33288
8.8
UnknownMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33053
8.8
UnknownMultiple Products
Langflow is a tool for building and deploying AI-powered agents and workflows
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4475
8.8
HomeMultiple Products
A vulnerability has been found in Yi Technology YI Home Camera 2 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4487
8.8
UTTMultiple Products
A vulnerability was determined in UTT HiPER 1200GW up to 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32989
8.8
IntranetMultiple Products
Precurio Intranet Portal 4
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4488
8.8
UTTMultiple Products
A vulnerability was identified in UTT HiPER 1250GW up to 3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32042
8.8
OpenClawMultiple Products
OpenClaw versions 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32051
8.8
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33172
8.7
SVGMultiple Products
Statamic is a Laravel and Git powered content management system (CMS)
CVSS Base8.7
â
CRSSelect profile
CVE-2026-3511
8.6
XMLUtilsMultiple Products
Improper Restriction of XML External Entity Reference vulnerability in XMLUtils
CVSS Base8.6
â
CRSSelect profile
CVE-2026-32721
8.6
wirelessMultiple Products
LuCI is the OpenWrt Configuration Interface
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33166
8.6
AllureMultiple Products
Allure 2 is the version 2
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33072
8.2
fileMultiple Products
FileRise is a self-hosted web file manager / WebDAV server
CVSS Base8.2
â
CRSSelect profile
CVE-2026-33243
8.2
UnknownMultiple Products
barebox is a bootloader
CVSS Base8.2
â
CRSSelect profile
CVE-2026-33301
8.1
UnknownMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33302
8.1
UnknownMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.1
â
CRSSelect profile
CVE-2026-29189
8.1
UnknownMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.1
â
CRSSelect profile
CVE-2026-4478
8.1
HomeMultiple Products
A vulnerability was identified in Yi Technology YI Home Camera 2 2
CVSS Base8.1
â
CRSSelect profile
CVE-2026-31836
8.1
monitorMultiple Products
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33010
8.1
UnknownMultiple Products
mcp-memory-service is an open-source memory backend for multi-agent systems
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33142
8.1
UnknownMultiple Products
OneUptime is a solution for monitoring and managing online services
CVSS Base8.1
â
CRSSelect profile
CVE-2026-32014
8
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8
â
CRSSelect profile
CVE-2026-32813
8
UnknownMultiple Products
Admidio is an open-source user management solution
CVSS Base8
â
CRSSelect profile
CVE-2026-33156
7.8
UnknownMultiple Products
ScreenToGif is a screen recording tool
CVSS Base7.8
â
CRSSelect profile
CVE-2026-32064
7.7
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base7.7
â
CRSSelect profile
CVE-2026-32749
7.6
ArchMultiple Products
SiYuan is a personal knowledge management system
CVSS Base7.6
â
CRSSelect profile
CVE-2026-33321
7.6
UnknownMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base7.6
â
CRSSelect profile
CVE-2026-32303
7.6
HubMultiple Products
Cryptomator encrypts data being stored on cloud infrastructure