Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Monday's disclosures center on network infrastructure and enterprise utilities, with critical remote code execution flaws affecting Totolink routers and LG IP device management software. Critical CVEs increased to 2 (up 100% from yesterday) and high-priority CVEs rose to 61 (up 97%), reflecting a substantially heavier disclosure volume. Notable critical issues include CVE-2026-7037 (CVSS 9.8) in the Totolink A8000RU router and CVE-2026-42363 (CVSS 9.3) in the LG GV-IP Device Utility. Attack patterns skew toward remote code execution and authentication weaknesses in network-edge devices, alongside exploitation activity targeting Microsoft SharePoint, Apache ActiveMQ, and SimpleHelp. With patch availability at 0% for the disclosed set, defenders should prioritize compensating controls and network segmentation while vendor fixes are pending.
Totolink A8000RU router affected by CVE-2026-7037 (CVSS 9.8), the day's highest-severity disclosure
Critical CVEs rose to 2, a 100% increase from the prior day's single disclosure
High-priority CVEs climbed to 61, a 97% increase from yesterday's 31
Remote code execution and authentication bypass flaws dominate, impacting Totolink, LG, SharePoint, and ActiveMQ
Patch availability sits at 0% across the 63 disclosed vulnerabilities, requiring interim mitigations
13 CVEs carry confirmed active exploitation, including SharePoint, PaperCut, JetBrains TeamCity, and SimpleHelp
Immediate action: Prioritize Totolink A8000RU and LG GV-IP Device Utility deployments for isolation and monitoring, and accelerate review of SharePoint, Apache ActiveMQ, PaperCut, SimpleHelp, and JetBrains TeamCity instances given confirmed exploitation. With no vendor patches available for today's disclosures, apply network segmentation, restrict management interfaces, and increase logging on affected systems until fixes ship.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2009-0238
9.5đ Late Disclosure
MicrosoftOffice
â° Federal Deadline:April 27, 2026(1 days remaining)
Microsoft Office Remote Code Execution - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-32201
9.5
MicrosoftSharePoint Server
â° Federal Deadline:April 27, 2026(1 days remaining)
Microsoft SharePoint Server Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-34197
9.5
ApacheActiveMQ
â° Federal Deadline:April 29, 2026(3 days remaining)
Apache ActiveMQ Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-2749
9.5
KenticoKentico Xperience
â° Federal Deadline:May 3, 2026(7 days remaining)
Kentico Xperience Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-27351
9.5đ Late Disclosure
PaperCutNG/MF
â° Federal Deadline:May 3, 2026(7 days remaining)
PaperCut NG/MF Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-32975
9.5
QuestKACE Systems Management Appliance (SMA)
â° Federal Deadline:May 3, 2026(7 days remaining)
Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2024-27199
9.5đ Late Disclosure
JetBrainsTeamCity
â° Federal Deadline:May 3, 2026(7 days remaining)
JetBrains TeamCity Relative Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-33825
9.5
MicrosoftDefender
â° Federal Deadline:May 5, 2026(9 days remaining)
Microsoft Defender Insufficient Granularity of Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-39987
9.5
MarimoMarimo
â° Federal Deadline:May 6, 2026(10 days remaining)
Marimo Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-29635
9.5
D-LinkDIR-823X
â° Federal Deadline:May 7, 2026(11 days remaining)
D-Link DIR-823X Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-7399
9.5đ Late Disclosure
SamsungMagicINFO 9 Server
â° Federal Deadline:May 7, 2026(11 days remaining)
Samsung MagicINFO 9 Server Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-57728
9.5đ Late Disclosure
SimpleHelp SimpleHelp
â° Federal Deadline:May 7, 2026(11 days remaining)
SimpleHelp Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-57726
9.5đ Late Disclosure
SimpleHelp SimpleHelp
â° Federal Deadline:May 7, 2026(11 days remaining)
SimpleHelp Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-7037
9.8đ
TotolinkA8000RU
A remote OS command injection vulnerability exists in the Totolink A8000RU router via the pptpPassThru argument in the setVpnPassCfg function.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-42363
9.3đ
LGGV-IP Device Utility
GeoVision GV-IP Device Utility 9.0.5 uses insufficient encryption for administrative credentials, allowing attackers to intercept and decrypt sensitive data over local broadcast traffic.
CVSS Base9.3
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-7106
8.8đ
WordPressis vulnerable
The Highland Software Custom Role Manager plugin for WordPress is susceptible to privilege escalation, allowing unauthorized users to obtain elevated permissions.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-6785
8.1đ
FirefoxFirefox ESR
Memory safety bugs in Firefox ESR 115 could lead to arbitrary code execution if exploited by an attacker via a malicious webpage.
CVSS Base8.1
â
CRSSelect profile
CVE-2026-6786
8.1đ
FirefoxFirefox ESR
Memory safety bugs in Firefox ESR 140 could allow a remote attacker to execute arbitrary code or cause a crash via a malicious webpage.
CVSS Base8.1
â
CRSSelect profile
CVE-2026-7002
7.3
HPof the
A vulnerability was determined in KLiK SocialMediaWebsite up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7025
7.3
HPof the
A vulnerability was found in Typecho up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7063
7.3
HPof the
A vulnerability was detected in code-projects Employee Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7061
7.3đ
Dockerchatgpt-mcp-server
A security weakness has been identified in the Toowiredd chatgpt-mcp-server, potentially allowing unauthorized access or service disruption.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7072
7.3đ
HPcanteen_management_system
A vulnerability in CodePanda Source canteen_management_system 1 allows for potential unauthorized actions due to improper security controls.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7073
7.3đ
HPConstruction Management System
A security flaw has been found in the itsourcecode Construction Management System 1, potentially leading to unauthorized system access.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7074
7.3đ
HPConstruction Management System
A vulnerability has been found in the itsourcecode Construction Management System 1 that could allow for unauthorized data access or system manipulation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7075
7.3đ
HPConstruction Management System
A security vulnerability exists in the itsourcecode Construction Management System 1, potentially exposing the application to unauthorized exploitation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7076
7.3đ
HPCourier Management System
A security vulnerability exists in the itsourcecode Courier Management System 1, potentially exposing the application to unauthorized exploitation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7077
7.3đ
HPCourier Management System
A security vulnerability exists in the itsourcecode Courier Management System 1, potentially exposing the application to unauthorized exploitation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7087
7.3đ
HPPharmacy Sales and Inventory System
A security vulnerability exists in the SourceCodester Pharmacy Sales and Inventory System 1, potentially exposing the application to unauthorized exploitation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7088
7.3đ
HPPharmacy Sales and Inventory System
A security vulnerability exists in the SourceCodester Pharmacy Sales and Inventory System 1, potentially exposing the application to unauthorized exploitation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-6988
8.8
TendaHG10 HG7
A flaw has been found in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7019
8.8
TendaF456
A vulnerability was identified in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7029
8.8
TendaF456
A weakness has been identified in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7030
8.8
TendaF456
A security vulnerability has been detected in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7031
8.8
TendaF456
A vulnerability was detected in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7032
8.8
TendaF456
A flaw has been found in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7033
8.8
TendaF456
A vulnerability has been found in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7034
8.8
TendaFH1202
A vulnerability was found in Tenda FH1202 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7035
8.8
TendaFH1202
A vulnerability was determined in Tenda FH1202 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7053
8.8
TendaF456
A security flaw has been discovered in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7054
8.8
TendaF456
A weakness has been identified in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7055
8.8
TendaF456
A security vulnerability has been detected in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7056
8.8
TendaF456
A vulnerability was detected in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7057
8.8
TendaF456
A flaw has been found in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33277
8.8
Acerprior to
An OS command Injection issue exists in LogonTracer prior to v2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7068
8.8
D-LinkDIR
A vulnerability was identified in D-Link DIR-825 3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7078
8.8
TendaF456
A security flaw has been discovered in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7079
8.8
TendaF456
A weakness has been identified in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7080
8.8
TendaF456
A security vulnerability has been detected in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7081
8.8
TendaF456
A vulnerability was detected in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7082
8.8
TendaF456
A flaw has been found in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7096
8.8
TendaHG3
A security flaw has been discovered in Tenda HG3 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7097
8.8
TendaF456
A weakness has been identified in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7039
7.8
InforMultiple Products
A security vulnerability has been detected in tufantunc ssh-mcp up to 1
CVSS Base7.8
â
CRSSelect profile
CVE-2026-42255
7.2
DNSMultiple Products
Technitium DNS Server before 15
CVSS Base7.2
â
CRSSelect profile
CVE-2026-7069
8
D-LinkDIR
A security flaw has been discovered in D-Link DIR-825 up to 3
CVSS Base8
â
CRSSelect profile
CVE-2026-7036
7.3
Tendai9
A vulnerability was identified in Tenda i9 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7067
7.3
D-LinkDIR
A vulnerability was determined in D-Link DIR-822 A_101
CVSS Base7.3
â
CRSSelect profile
CVE-2026-6992
7.2
LinksysMR9600
A vulnerability was identified in Linksys MR9600 2
CVSS Base7.2
â
CRSSelect profile
CVE-2018-25263
8.4đ Late Disclosure
DesktopMultiple Products
Faleemi Desktop Software 1
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25283
8.4đ Late Disclosure
theMultiple Products
iSmartViewPro 1
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25294
7.5đ Late Disclosure
CEWEMultiple Products
CEWE Photoshow 6
CVSS Base7.5
â
CRSSelect profile
CVE-2026-6977
7.3đ
Vanna-AIVanna
A security vulnerability has been identified in the Vanna-AI Vanna framework, affecting versions up to 2.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-6980
7.3
InforMultiple Products
A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd
CVSS Base7.3
â
CRSSelect profile
CVE-2026-6987
7.3
InforMultiple Products
A vulnerability was detected in PicoClaw up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7022
7.3đ
SmythOSSRE
A security vulnerability has been identified in SmythOS SRE, affecting versions up to 0.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7042
7.3
foundMultiple Products
A flaw has been found in 666ghj MiroFish up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7058
7.3
foundMultiple Products
A vulnerability has been found in 666ghj MiroFish up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7060
7.3
InforMultiple Products
A vulnerability was determined in liyupi yu-picture up to a053632c41340152bf75b66b3c543d129123d8ec
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7062
7.3đ
Intina47context-sync
A security vulnerability has been identified in the Intina47 context-sync software, potentially allowing unauthorized access to synchronized data.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7064
7.3
InforMultiple Products
A flaw has been found in AgentDeskAI browser-tools-mcp up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7065
7.3
InforMultiple Products
A vulnerability has been found in BidingCC BuildingAI up to 26
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7066
7.3
InforMultiple Products
A vulnerability was found in choieastsea simple-openstack-mcp up to 767b2f4a8154cca344344b9725537a58399e6036
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7070
7.3
ManagementMultiple Products
A weakness has been identified in code-projects Inventory Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7094
7.3
InforMultiple Products
A vulnerability was determined in ShadowCloneLabs GlutamateMCPServers up to e2de73280b01e5d943593dd1aa2c01c5b9112f78
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3006
7
SuccessfulMultiple Products
Successful exploitation of the race condition vulnerability could allow
an attacker to trigger a kernel heap overflow, potentially leading to local privilege
escalation and granting system-level access to the affected software