Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Wednesday's vulnerability disclosures are headlined by multiple critical Mozilla Firefox and Thunderbird flaws, including two perfect CVSS 10.0 sandbox escapes (CVE-2026-4688, CVE-2026-4725) and several additional 9.8-rated issues spanning privilege escalation and code execution. The day's 30 critical CVEs represent a 43% increase over Tuesday, while the 100 high-priority disclosures held steady. A critical WordPress vulnerability (CVE-2026-4001, CVSS 9.8) and a GitHub Actions workflow flaw (CVE-2026-33475, CVSS 9.1) round out the most severe new disclosures. Among the 14 actively exploited vulnerabilities, Apple products account for five entries and Google Chromium and Skia carry two, alongside ongoing exploitation of Craft CMS, Laravel Livewire, Zimbra, and Wing FTP Server. No patches are currently available for today's disclosed CVEs, making network-level mitigations and monitoring essential in the interim.
Two Mozilla Firefox/Thunderbird sandbox escape vulnerabilities rated CVSS 10.0, with six additional critical Mozilla flaws scoring 9.8
30 critical CVEs disclosed, up 43% from Tuesday's 21
100 high-priority CVEs, unchanged from the prior day
0% patch availability across all disclosed CVEs â no vendor fixes released yet
14 actively exploited vulnerabilities spanning Apple, Google Chromium, Zimbra, Craft CMS, and Laravel Livewire
Immediate action: Prioritize Mozilla Firefox and Thunderbird updates as soon as patches become available, given the two CVSS 10.0 sandbox escapes and multiple 9.8-rated flaws. Review exposure to WordPress, GitHub Actions, and the actively exploited products â Apple, Chromium, Zimbra, Craft CMS, and Wing FTP Server â and apply compensating controls such as WAF rules and network segmentation until vendor patches are released.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2017-7921
9.5đ Late Disclosure
HikvisionMultiple Products
â° Federal Deadline:March 25, 2026(1 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-22681
9.5đ Late Disclosure
RockwellMultiple Products
â° Federal Deadline:March 25, 2026(1 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-43000
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(1 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-30952
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(1 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-41974
9.5đ Late Disclosure
AppleiOS and iPadOS
â° Federal Deadline:March 25, 2026(1 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3910
9.5đ
GoogleChromium V8
â° Federal Deadline:March 26, 2026(2 days remaining)
Google Chrome versions prior to 146 feature an inappropriate implementation in the V8 JavaScript engine that is currently being exploited in the wild to achieve code execution.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3909
9.5đ
GoogleSkia
â° Federal Deadline:March 26, 2026(2 days remaining)
Google Chrome versions prior to 146 contain an out-of-bounds write vulnerability in the Skia graphics engine, which is currently being exploited in the wild.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-47813
9.5
Wing FTP ServerWing FTP Server
â° Federal Deadline:March 29, 2026(5 days remaining)
Wing FTP Server Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-66376
9.5
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:March 31, 2026(7 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-32432
9.5
Craft CMSCraft CMS
â° Federal Deadline:April 2, 2026(9 days remaining)
Craft CMS Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54068
9.5
LaravelLivewire
â° Federal Deadline:April 2, 2026(9 days remaining)
Laravel Livewire Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43510
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(9 days remaining)
Apple Multiple Products Improper Locking Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43520
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(9 days remaining)
Apple Multiple Products Classic Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-31277
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(9 days remaining)
Apple Multiple Products Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-4001
9.8đ
WordPressis vulnerable
The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to unauthenticated Remote Code Execution (RCE) via the PHP eval() function in custom pricing formulas.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33475
9.1đ
GitHubActions workflows
Unauthenticated remote shell injection in Langflow's GitHub Actions workflows allows attackers to execute arbitrary commands and exfiltrate CI secrets via malicious branch names.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-4688
10đ
SandboxFirefox and Thunderbird
A critical sandbox escape vulnerability in Mozilla products, caused by a use-after-free in Disability Access APIs, allows for full system compromise.
CVSS Base10
â
CRSSelect profile
CVE-2026-4717
9.8đ
PrivilegeFirefox and Thunderbird
A privilege escalation vulnerability exists in the Netmonitor component of Mozilla Firefox and Thunderbird. Successful exploitation could allow an attacker to gain elevated permissions.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4725
10đ
SandboxFirefox and Thunderbird
A use-after-free vulnerability in the Graphics: Canvas2D component of Mozilla Firefox and Thunderbird enables a critical sandbox escape.
CVSS Base10
â
CRSSelect profile
CVE-2026-4755
9.8đ
MolotovCherry AndroidAndroid-ImageMagick7
A critical improper input validation vulnerability (CWE-20) in MolotovCherry Android-ImageMagick7 can lead to severe system instability or unauthorized code execution.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4691
9.8đ
MozillaFirefox and Thunderbird
A use-after-free vulnerability in the CSS Parsing and Computation component of Mozilla browsers allows for potential remote code execution via specifically crafted web content.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4696
9.8đ
MozillaFirefox and Thunderbird
A critical use-after-free vulnerability in the Layout: Text and Fonts component of Mozilla products could allow for remote code execution when processing malicious web content.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4698
9.8đ
MozillaFirefox and Thunderbird
A critical JIT miscompilation vulnerability in the JavaScript Engine of Mozilla browsers allows for remote code execution via malicious scripts.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4700
9.8đ
MitigationFirefox and Thunderbird
A mitigation bypass vulnerability in the Networking: HTTP component affects several Mozilla products, including Firefox and Thunderbird.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4701
9.8đ
MozillaFirefox and Thunderbird
A use-after-free vulnerability in the JavaScript Engine of Mozilla products allows unauthenticated remote code execution through memory corruption.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4702
9.8đ
MozillaFirefox and Thunderbird
A JIT miscompilation in the JavaScript Engine of Mozilla products allows unauthenticated attackers to achieve remote code execution via crafted web content.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4705
9.8đ
SignalFirefox and Thunderbird
Undefined behavior in the WebRTC: Signaling component of Mozilla products creates a critical security risk for Firefox and Thunderbird users.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4711
9.8đ
MozillaFirefox and Thunderbird
A use-after-free vulnerability in the Widget: Cocoa component of Mozilla products on macOS allows for remote code execution via malicious web interaction.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4723
9.8đ
MozillaFirefox and Thunderbird
A use-after-free vulnerability in the JavaScript Engine of Mozilla Firefox and Thunderbird allows for critical remote code execution.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4283
9.1đ
WordPressis vulnerable
The WP DSGVO Tools (GDPR) plugin for WordPress allows unauthenticated attackers to permanently destroy non-administrator accounts by bypassing the email confirmation flow via AJAX.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-4715
9.1đ
UninitializedFirefox and Thunderbird
An uninitialized memory vulnerability in the Graphics: Canvas2D component affects Mozilla Firefox and Thunderbird, leading to potential memory corruption.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-4716
9.1
IncorrectMultiple Products
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
CVSS Base9.1
â
CRSSelect profile
CVE-2019-25646
9.8đ Late Disclosure
the MAILMultiple Products
Tabs Mail Carrier 2.5.1 contains a buffer overflow vulnerability in the MAIL FROM SMTP command that allows remote attackers to execute arbitrary code by sending a crafted MAIL FROM parameter. Attackers can connect to the SMTP service on port 25 and send a malicious MAIL FROM command with an oversized buffer to overwrite the EIP register and execute a bind shell payload.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-71275
9.8
Zimbra CollaborationMultiple Products
Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33309
9.9
ArchMultiple Products
Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.
CVSS Base9.9
â
CRSSelect profile
CVE-2019-25628
9.8đ Late Disclosure
Download AcceleratorMultiple Products
Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Attackers can create specially crafted URLs with overflowing buffer data that overwrites SEH pointers and executes embedded shellcode when imported through the application's web page import functionality.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-33244
9
Linuxcontains
NVIDIA APEX for Linux contains a vulnerability where an unauthorized attacker could cause a deserialization of untrusted data. This vulnerability affects environments that use PyTorch versions earlier than 2.6. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, data tampering, and information disclosure.
CVSS Base9
â
CRSSelect profile
CVE-2026-33202
9.1
ActiveMultiple Products
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-33286
9.1đ
GraphitiGraphiti Framework
Graphiti framework versions prior to 1.10.2 are vulnerable to arbitrary method execution, allowing attackers to invoke destructive operations on underlying models via malicious JSONAPI payloads.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-33340
9.1đ
AWSlollms-webui
A critical Server-Side Request Forgery (SSRF) in lollms-webui allows unauthenticated attackers to force arbitrary GET requests, potentially exfiltrating sensitive cloud metadata and IAM tokens.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-33195
9.8
ActiveMultiple Products
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33211
9.6
Tekton PipelinesMultiple Products
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.
CVSS Base9.6
â
CRSSelect profile
CVE-2026-4750
9.1
fabiangreffrath woofMultiple Products
Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-4753
9.1
slajerek RetroDebuggerMultiple Products
Out-of-bounds Read vulnerability in slajerek RetroDebugger.This issue affects RetroDebugger: before v0.64.72.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2019-25636
8.2đ Late Disclosure
HPwith malicious
Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25640
8.2đ Late Disclosure
HPto extract
Inout Article Base CMS contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25641
8.2đ Late Disclosure
HPwith malicious
Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4673
8.8
GoogleChrome prior
Heap buffer overflow in WebAudio in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4675
8.8
GoogleChrome prior
Heap buffer overflow in WebGL in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4676
8.8
GoogleChrome prior
Use after free in Dawn in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4678
8.8
GoogleChrome prior
Use after free in WebGPU in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4680
8.8
GoogleChrome prior
Use after free in FedCM in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24141
7.8
NVIDIAcontains
NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-4674
8.8
GoogleChrome prior
Out of bounds read in CSS in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4677
8.8
GoogleChrome prior
Inappropriate implementation in WebAudio in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4679
8.8
GoogleChrome prior
Integer overflow in Fonts in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33176
7.5
ActiveMultiple Products
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework
CVSS Base7.5
â
CRSSelect profile
CVE-2026-24157
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2019-25635
8.2đ Late Disclosure
InforMultiple Products
Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25639
8.2đ Late Disclosure
ArchMultiple Products
Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST parameters
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4021
8.1
WordPressis vulnerable
The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28
CVSS Base8.1
â
CRSSelect profile
CVE-2026-4306
7.5
WordPressis vulnerable
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3533
8.8
WordPressis vulnerable
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33854
8.8
MolotovCherryMultiple Products
Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7
CVSS Base8.8
â
CRSSelect profile
CVE-2026-27654
8.2
NginxOpen Source
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root
CVSS Base8.2
â
CRSSelect profile
CVE-2026-33507
8.8
HPcode
WWBN AVideo is an open source video platform
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33647
8.8
HPcode
WWBN AVideo is an open source video platform
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33717
8.8
HPfile persistently
WWBN AVideo is an open source video platform
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25630
8.8đ Late Disclosure
HPfiles through
PhreeBooks ERP 5
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25647
8.8đ Late Disclosure
HPfiles by
PhreeBooks ERP 5
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4756
7.8
MolotovCherryMultiple Products
Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7
CVSS Base7.8
â
CRSSelect profile
CVE-2026-26306
7.8
UnknownMultiple Products
The installer for OM Workspace (Windows Edition) Ver 2
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33513
8.6
HPfiles under
WWBN AVideo is an open source video platform
CVSS Base8.6
â
CRSSelect profile
CVE-2019-25643
8.2đ Late Disclosure
HPwith crafted
eNdonesia Portal v8
CVSS Base8.2
â
CRSSelect profile
CVE-2026-27784
7.8
NginxOpen Source
The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-32647
7.8
NginxOpen Source
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24150
7.8
NVIDIAMegatron
NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24152
7.8
NVIDIAMegatron
NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33399
7.7
HPexecutes
Wallos is an open-source, self-hostable personal subscription tracker
CVSS Base7.7
â
CRSSelect profile
CVE-2026-33483
7.5
HPscript with
WWBN AVideo is an open source video platform
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25642
8.2đ Late Disclosure
HPMultiple Products
Bootstrapy CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters
CVSS Base8.2
â
CRSSelect profile
CVE-2026-33479
8.8
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base8.8
â
CRSSelect profile
CVE-2026-29839
8.8
HPMultiple Products
DedeCMS v5
CVSS Base8.8
â
CRSSelect profile
CVE-2025-33247
7.8
NVIDIAMegatron LM
NVIDIA Megatron LM contains a vulnerability in quantization configuration loading, which could allow remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24159
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33480
8.6
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33719
8.6
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33482
8.1
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33649
8.1
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33651
8.1
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33354
7.6
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base7.6
â
CRSSelect profile
CVE-2026-33650
7.6
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base7.6
â
CRSSelect profile
CVE-2026-33485
7.5
F5Multiple Products
WWBN AVideo is an open source video platform
CVSS Base7.5
â
CRSSelect profile
CVE-2026-33512
7.5
HPMultiple Products
WWBN AVideo is an open source video platform
CVSS Base7.5
â
CRSSelect profile
CVE-2026-24516
8.8
AgentDroplet Agent
A command injection vulnerability exists in DigitalOcean Droplet Agent through 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-22739
8.6
Configdirectories
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories
CVSS Base8.6
â
CRSSelect profile
CVE-2026-32969
7.5
userinfoMultiple Products
An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpointâs authentication method due to improper neutralization of special elements in a SQL SELECT command
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4639
8.8
VitalsMultiple Products
Vitals ESP developed by Galaxy Software Services has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to perform certain administrative functions, thereby escalating privileges
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33848
8.8
linkingvisionMultiple Products
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33849
8.8
linkingvisionMultiple Products
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms
CVSS Base8.8
â
CRSSelect profile
CVE-2025-41660
8.8
UnknownMultiple Products
A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution
CVSS Base8.8
â
CRSSelect profile
CVE-2025-33248
7.8
NVIDIAMegatron
NVIDIA Megatron-LM contains a vulnerability in the hybrid conversion script where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24151
7.8
NVIDIAMegatron
NVIDIA Megatron-LM contains a vulnerability in inferencing where an Attacker may cause an RCE by convincing a user to load a maliciously crafted input
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33331
8.2
UnknownMultiple Products
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4722
8.8
PrivilegeMultiple Products
Privilege escalation in the IPC component
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33847
7.8
linkingvisionMultiple Products
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33648
8.8
UnknownMultiple Products
WWBN AVideo is an open source video platform
CVSS Base8.8
â
CRSSelect profile
CVE-2026-23480
8.8
UnknownMultiple Products
Blinko is an AI-powered card note-taking project
CVSS Base8.8
â
CRSSelect profile
CVE-2025-60946
8.8
CensusMultiple Products
Census CSWeb 8
CVSS Base8.8
â
CRSSelect profile
CVE-2025-60947
8.8
CensusMultiple Products
Census CSWeb 8
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32276
8.8
UnknownMultiple Products
Connect-CMS is a content management system
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33046
8.8
UnknownMultiple Products
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33310
8.8
UnknownMultiple Products
Intake is a package for finding, investigating, loading and disseminating data
CVSS Base8.8
â
CRSSelect profile
CVE-2026-22559
8.8
NetworkMultiple Products
An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to an account if the account owner is socially engineered into clicking a malicious link
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32277
8.7
UnknownMultiple Products
Connect-CMS is a content management system
CVSS Base8.7
â
CRSSelect profile
CVE-2026-4687
8.6
SandboxMultiple Products
Sandbox escape due to incorrect boundary conditions in the Telemetry component
CVSS Base8.6
â
CRSSelect profile
CVE-2026-4690
8.6
SandboxMultiple Products
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
CVSS Base8.6
â
CRSSelect profile
CVE-2026-32845
8.4
cgltfMultiple Products
cgltf version 1
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25626
8.4đ Late Disclosure
CamMultiple Products
River Past Cam Do 3
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25627
8.4đ Late Disclosure
StreamMultiple Products
FlexHEX 2
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25629
8.4đ Late Disclosure
loggingMultiple Products
AIDA64 Extreme 5
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25631
8.4đ Late Disclosure
UnknownMultiple Products
AIDA64 Business 5
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25633
8.4đ Late Disclosure
UnknownMultiple Products
AIDA64 Extreme 5
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25634
8.4đ Late Disclosure
UnknownMultiple Products
Base64 Decoder 1
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25637
8.4đ Late Disclosure
NetStatMultiple Products
X-NetStat Pro 5
CVSS Base8.4
â
CRSSelect profile
CVE-2026-32278
8.2
UnknownMultiple Products
Connect-CMS is a content management system
CVSS Base8.2
â
CRSSelect profile
CVE-2026-2072
8.2
HitachiMultiple Products
Cross-Site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Analytics probe component), Hitachi Ops Center Analyzer
CVSS Base8.2
â
CRSSelect profile
CVE-2026-32300
8.1
InforMultiple Products
Connect-CMS is a content management system
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33316
8.1
UnknownMultiple Products
Vikunja is an open-source self-hosted task management platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33678
8.1
UnknownMultiple Products
Vikunja is an open-source self-hosted task management platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33329
8.1
fileMultiple Products
FileRise is a self-hosted web file manager / WebDAV server
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33344
8.1
workflowMultiple Products
Dagu is a workflow engine with a built-in Web user interface
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33298
7.8
theMultiple Products
llama
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33850
7.8
WujekFoliarzMultiple Products
Out-of-bounds Write vulnerability in WujekFoliarz DualSenseY-v2
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33851
7.8
joncampbell123Multiple Products
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in joncampbell123 doslib
CVSS Base7.8
â
CRSSelect profile
CVE-2026-4775
7.8
the putcontig8bitYCbCr44tileMultiple Products
A flaw was found in the libtiff library
CVSS Base7.8
â
CRSSelect profile
CVE-2026-4645
7.5
GitHubMultiple Products
A flaw was found in the `github
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26828
7.5
UnknownMultiple Products
A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26829
7.5
UnknownMultiple Products
A NULL pointer dereference in the safe_atou64 function (src/misc
CVSS Base7.5
â
CRSSelect profile
CVE-2026-25075
7.5
strongSwanMultiple Products
strongSwan versions 4
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26209
7.5
UnknownMultiple Products
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format
CVSS Base7.5
â
CRSSelect profile
CVE-2026-23482
7.5
UnknownMultiple Products
Blinko is an AI-powered card note-taking project
CVSS Base7.5
â
CRSSelect profile
CVE-2026-32299
7.5
InforMultiple Products
Connect-CMS is a content management system
CVSS Base7.5
â
CRSSelect profile
CVE-2026-33174
7.5
ActiveMultiple Products
Active Storage allows users to attach cloud and local files in Rails applications