Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Friday's vulnerability disclosures reveal 31 critical-severity flaws across Microsoft, HP, Oracle, and Arch products, including a CVSS 10.0 remote code execution in Azure Cloud Shell (CVE-2026-32169) and multiple CVSS 9.8 issues in Microsoft Bing Images and Oracle Identity Manager. Critical CVE volume rose 158% from the prior day's 12 to 31, while high-priority disclosures increased 19% to 100. Notable entries include CVE-2026-32938 (CVSS 9.9) in SiYuan and CVE-2026-32767 (CVSS 9.8) targeting endpoint bypass in Arch products. Among the 16 actively exploited vulnerabilities are flaws in Microsoft SharePoint, Cisco FMC, Ivanti EPM, and Google Chromium V8, alongside several legacy CVEs in Apple, Hikvision, and Rockwell products still under active exploitation. No patches are currently available for the newly disclosed vulnerabilities, requiring defenders to prioritize compensating controls and monitoring.
31 critical CVEs disclosed, a 158% increase from the prior day's 12, spanning Microsoft, HP, Oracle, and Arch products
100 high-priority CVEs represent a 19% increase, bringing the total disclosure count to 131
Authentication bypass and remote code execution dominate attack patterns, affecting Microsoft Bing Images, Oracle Identity Manager, and SiYuan
0% patch availability across newly disclosed vulnerabilities â no vendor fixes released at time of publication
16 actively exploited vulnerabilities include flaws in SharePoint, Cisco FMC, Ivanti EPM, Chromium V8, and Zimbra
Immediate action: Prioritize reviewing exposure to Azure Cloud Shell, Microsoft Bing Images, Oracle Identity Manager, and HP products given the concentration of CVSS 9.0+ vulnerabilities. With zero patches currently available, implement network segmentation, restrict access to affected services, and increase monitoring for exploitation indicators across SharePoint, Cisco FMC, Ivanti EPM, and Chromium environments.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-20963
9.5đ
MicrosoftSharePoint
â° Federal Deadline:March 20, 2026(1 days remaining)
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-20131
9.5đ
CiscoSecure Firewall Management Center (FMC)
â° Federal Deadline:March 21, 2026(2 days remaining)
A critical insecure deserialization flaw in the Cisco FMC web interface allows unauthenticated remote attackers to execute arbitrary Java code with root privileges via crafted serial objects.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-22054
9.5đ Late Disclosure
OmnissaWorkspace One UEM
â° Federal Deadline:March 22, 2026(3 days remaining)
Omnissa Workspace ONE Server-Side Request Forgery - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-1603
9.5
Ivanti Endpoint Manager (EPM)
â° Federal Deadline:March 22, 2026(3 days remaining)
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-22719
9.5đ
BroadcomVMware Aria Operations
â° Federal Deadline:March 23, 2026(4 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21385
9.5đ
QualcommMultiple Chipsets
â° Federal Deadline:March 23, 2026(4 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-68613
9.5đ
n8nn8n
â° Federal Deadline:March 24, 2026(5 days remaining)
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2017-7921
9.5đ Late Disclosure
HikvisionMultiple Products
â° Federal Deadline:March 25, 2026(6 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-22681
9.5đ Late Disclosure
RockwellMultiple Products
â° Federal Deadline:March 25, 2026(6 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-43000
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(6 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-30952
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(6 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-41974
9.5đ Late Disclosure
AppleiOS and iPadOS
â° Federal Deadline:March 25, 2026(6 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3910
9.5đ
GoogleChromium V8
â° Federal Deadline:March 26, 2026(7 days remaining)
Google Chrome versions prior to 146 feature an inappropriate implementation in the V8 JavaScript engine that is currently being exploited in the wild to achieve code execution.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3909
9.5đ
GoogleSkia
â° Federal Deadline:March 26, 2026(7 days remaining)
Google Chrome versions prior to 146 contain an out-of-bounds write vulnerability in the Skia graphics engine, which is currently being exploited in the wild.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-47813
9.5
Wing FTP ServerWing FTP Server
â° Federal Deadline:March 29, 2026(10 days remaining)
Wing FTP Server Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66376
9.5
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:March 31, 2026(12 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-32754
9.3
HPMultiple Products
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209.
CVSS Base9.3
â
CRSSelect profile
CVE-2026-29103
9.1
HPregarding PHP
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-32767
9.8
Archendpoint bypasses
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user â including those with the Reader role â to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32985
9.8
ArchMultiple Products
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32169
10đ
AzureCloud Shell
A server-side request forgery (SSRF) vulnerability in Azure Cloud Shell allows an unauthenticated attacker to elevate privileges over a network.
CVSS Base10
â
CRSSelect profile
CVE-2026-32191
9.8đ
MicrosoftBing Images
An OS command injection vulnerability in Microsoft Bing Images allows an unauthenticated attacker to execute arbitrary code over a network.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32194
9.8đ
MicrosoftBing Images
A command injection vulnerability in Microsoft Bing Images allows an unauthorized attacker to execute arbitrary code via network-based requests.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32938
9.9đ
SiYuanSiYuan
SiYuan versions 3.6.0 and below are vulnerable to path traversal and sensitive file exfiltration via improper validation of file:// links in pasted HTML.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-27065
9.8
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through 2.0.1.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-21992
9.8đ
OracleIdentity Manager
A critical vulnerability in Oracle Identity Manager and Web Services Manager allows unauthenticated network-based takeover via HTTP.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32890
9.6
Discordbot for
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.
CVSS Base9.6
â
CRSSelect profile
CVE-2026-32817
9.1
HPonly perform
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folder_delete and file_delete action handlers in modules/documents-files.php only perform a VIEW authorization check (getFolderForDownload / getFileForDownload) before calling delete(), and they never validate a CSRF token. Because the target UUIDs are read from $_GET, deletion can be triggered by a plain HTTP GET request. When the module is in public mode (documents_files_module_enabled = 1) and a folder is marked public (fol_public = true), an unauthenticated attacker can permanently destroy the entire document library. Even when the module requires login, any user with view-only access can delete content they are only permitted to read. This issue has been fixed in version 5.0.7.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-32940
9.3đ
SiYuanSiYuan
SiYuan versions 3.6.0 and below contain a click-through XSS vulnerability in the dynamic icon API due to incomplete SVG sanitization.
CVSS Base9.3
â
CRSSelect profile
CVE-2026-32891
9
Discordbot for
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the Anchorr admin's browser session. The injected script calls the authenticated /api/config endpoint - which returns the full application configuration in plaintext. This allows the attacker to forge a valid Anchorr session token and gain full admin access to the dashboard with no knowledge of the admin password. The same response also exposes the API keys and tokens for every integrated service, resulting in simultaneous account takeover of the Jellyfin media server (via JELLYFIN_API_KEY), the Jellyseerr request manager (via JELLYSEERR_API_KEY), and the Discord bot (via DISCORD_TOKEN). This issue has been fixed in version 1.4.2.
CVSS Base9
â
CRSSelect profile
CVE-2026-4038
9.8đ
WordPressis vulnerable
The Aimogen Pro plugin for WordPress allows unauthenticated arbitrary function calls. Attackers can exploit this to change the default user role to administrator and gain full site control.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33057
9.8đ
MesopMesop
Mesop versions 1.2.2 and below contain an unauthenticated remote code execution (RCE) vulnerability in a debugging endpoint within the AI testing module.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33054
10đ
MesopMesop
Mesop versions 1.2.2 and below are vulnerable to path traversal, allowing unauthorized users to manipulate or delete arbitrary files on the host disk.
CVSS Base10
â
CRSSelect profile
CVE-2026-32038
9.8đ
DockerOpenClaw
OpenClaw versions before 2026.2.24 contain a sandbox network isolation bypass vulnerability allowing trusted operators to access other container networks.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-27542
9.8đ
Rymera WebWoocommerce Wholesale Lead Capture
The Woocommerce Wholesale Lead Capture plugin is vulnerable to incorrect privilege assignment, which allows attackers to escalate their privileges within the WordPress environment.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-30402
9.8đ
WGCLOUDWGCLOUD
A remote code execution (RCE) vulnerability in WGCLOUD v2.3.7 and earlier allows attackers to execute arbitrary code via the test connection function.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-27540
9đ
Rymera WebWoocommerce Wholesale Lead Capture
The Woocommerce Wholesale Lead Capture plugin allows for the unrestricted upload of files with dangerous types, enabling attackers to upload and execute malicious files on the server.
CVSS Base9
â
CRSSelect profile
CVE-2026-27067
9.1
Syarif MobileMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through 1.3.1.
CVSS Base9.1
â
CRSSelect profile
CVE-2025-60233
9.8
Themeton ZuutMultiple Products
Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-60237
9.8
Themeton FinagMultiple Products
Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2006-10003
9.8đđ Late Disclosure
PerlXML::Parser
XML::Parser for Perl contains an off-by-one heap buffer overflow in the st_serial_stack function. Attackers can trigger this by providing XML files with deeply nested elements to cause a crash.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-27413
9.3đ
Cozmoslabs ProfileProfile Builder Pro
Cozmoslabs Profile Builder Pro is vulnerable to Blind SQL Injection, allowing attackers to extract sensitive information from the database by sending crafted queries.
CVSS Base9.3
â
CRSSelect profile
CVE-2026-22557
10đ
UbiquitiUniFi Network Application
A path traversal vulnerability in UniFi Network Application allows network-based attackers to access and manipulate sensitive system files. This can lead to unauthorized account access.
CVSS Base10
â
CRSSelect profile
CVE-2026-30836
10
StepMultiple Products
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
CVSS Base10
â
CRSSelect profile
CVE-2026-32865
9.8đ
OPEXUSeComplaint and eCASE
OPEXUS eComplaint and eCASE expose secret verification codes in HTTP responses during password resets. Attackers can use this to hijack accounts and reset security questions without authorization.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32238
9.1
the backupMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-22732
9.1đ
SpringSpring Security
Spring Security may fail to write HTTP response headers in certain servlet applications. This failure can bypass critical security protections like HSTS or CSP, leaving users vulnerable to web-based attacks.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-27093
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-27096
8.1
WordPressTheme allows
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection
CVSS Base8.1
â
CRSSelect profile
CVE-2026-2992
8.2
WordPressis vulnerable
The KiviCare â Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58112
8.8
MicrosoftDynamics
Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32888
8.8
Archfunctionality
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework
CVSS Base8.8
â
CRSSelect profile
CVE-2026-23658
8.6
AzureDevOps allows
Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.6
â
CRSSelect profile
CVE-2026-23659
8.6
AzureData Factory
Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network
CVSS Base8.6
â
CRSSelect profile
CVE-2026-26138
8.6
MicrosoftPurview allows
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.6
â
CRSSelect profile
CVE-2026-26139
8.6
MicrosoftPurview allows
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.6
â
CRSSelect profile
CVE-2026-32763
8.2
MySQLand SQLite
Kysely is a type-safe TypeScript SQL query builder
CVSS Base8.2
â
CRSSelect profile
CVE-2026-3090
7.2
WordPressis vulnerable
The Post SMTP â Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the âevent_typeâ parameter in all versions up to, and including, 3
CVSS Base7.2
â
CRSSelect profile
CVE-2026-29096
8.1
MySQLwith FILE
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.1
â
CRSSelect profile
CVE-2026-32011
7.5
GoogleChat that
OpenClaw versions prior to 2026
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3658
7.5
WordPressis vulnerable
The Appointment Booking Calendar â Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26137
8.9
MicrosoftMultiple Products
Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network
CVSS Base8.9
â
CRSSelect profile
CVE-2026-1463
8.8
WordPressis vulnerable
The Photo Gallery, Sliders, Proofing and Themes â NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24063
8.2đ
ArturiaSoftware Center (MacOS)
A vulnerability in the Arturia Software Center for MacOS involves the insecure installation of uninstaller components during plugin deployment, potentially allowing unauthorized system changes.
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4342
8.8
Nginxwhere
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32756
8.8
HPscripts
Admidio is an open-source user management solution
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24062
7.8
sufficientMultiple Products
The "Privileged Helper" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33039
8.6
HPendpoint validates
WWBN AVideo is an open source video platform
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33012
7.5
MicronautMultiple Products
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications
CVSS Base7.5
â
CRSSelect profile
CVE-2026-1238
7.2
WordPressis vulnerable
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5
CVSS Base7.2
â
CRSSelect profile
CVE-2026-32730
8.1
MongoDBquery that
ApostropheCMS is an open-source content management framework
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33037
8.1
Dockerdeployment files
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33038
8.1
HPendpoint
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33043
8.1
HPexposes the
WWBN AVideo is an open source video platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-4427
7.5
PostgreSQLserver can
A flaw was found in pgproto3
CVSS Base7.5
â
CRSSelect profile
CVE-2026-33001
8.8
JenkinsMultiple Products
Jenkins 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32321
8.8
HPMultiple Products
ClipBucket v5 is an open source video sharing platform
CVSS Base8.8
â
CRSSelect profile
CVE-2026-29099
8.8
HPMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33346
8.7
HPMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.7
â
CRSSelect profile
CVE-2026-32255
8.6đ
NginxKan Project Management Tool
The Kan open-source project management tool is affected by a high-severity vulnerability that may allow for significant unauthorized access or data compromise.
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33002
7.5
JenkinsMultiple Products
Jenkins 2
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3547
7.5
ApacheMultiple Products
Out-of-bounds read in ALPN parsing due to incomplete validation
CVSS Base7.5
â
CRSSelect profile
CVE-2026-32808
8.1
downloadMultiple Products
pyLoad is a free and open-source download manager written in Python
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33289
8.8
Archfilter
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32711
7.8
UnknownMultiple Products
pydicom is a pure Python package for working with DICOM files
CVSS Base7.8
â
CRSSelect profile
CVE-2026-32874
7.5
forMultiple Products
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3
CVSS Base7.5
â
CRSSelect profile
CVE-2026-32875
7.5
forMultiple Products
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3
CVSS Base7.5
â
CRSSelect profile
CVE-2026-32811
8.2
UnknownMultiple Products
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service
CVSS Base8.2
â
CRSSelect profile
CVE-2026-25443
7.5
Dotstore FraudMultiple Products
Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.5
â
CRSSelect profile
CVE-2026-31989
7.4
priorcitation redirect
OpenClaw versions prior to 2026
CVSS Base7.4
â
CRSSelect profile
CVE-2026-25445
8.8
Membership SoftwareMultiple Products
Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32873
7.5
webMultiple Products
ewe is a Gleam web server
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26740
8.2
giflibMultiple Products
Buffer Overflow vulnerability in giflib v
CVSS Base8.2
â
CRSSelect profile
CVE-2026-22731
8.2
SpringMultiple Products
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path
CVSS Base8.2
â
CRSSelect profile
CVE-2026-22733
8.2
SpringMultiple Products
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints
CVSS Base8.2
â
CRSSelect profile
CVE-2026-25471
8.1
Themepaste AdminMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard allows Password Recovery Exploitation
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22558
7.7
UnknownMultiple Products
An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges
CVSS Base7.7
â
CRSSelect profile
CVE-2026-32693
8.8
fromMultiple Products
In Juju from version 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-55040
8.8
MuraCMS throughMultiple Products
The import form CSRF vulnerability in MuraCMS through 10
CVSS Base8.8
â
CRSSelect profile
CVE-2025-55044
8.8
MuraCMS throughMultiple Products
The Trash Restore CSRF vulnerability in MuraCMS through 10
CVSS Base8.8
â
CRSSelect profile
CVE-2026-31962
8.8
InforMultiple Products
HTSlib is a library for reading and writing bioinformatics file formats
CVSS Base8.8
â
CRSSelect profile
CVE-2025-71260
8.8
ITSMMultiple Products
BMC FootPrints ITSM versions 20
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32013
8.8
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33288
8.8
UnknownMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4475
8.8
HomeMultiple Products
A vulnerability has been found in Yi Technology YI Home Camera 2 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3511
8.6
XMLUtilsMultiple Products
Improper Restriction of XML External Entity Reference vulnerability in XMLUtils
CVSS Base8.6
â
CRSSelect profile
CVE-2026-32721
8.6
wirelessMultiple Products
LuCI is the OpenWrt Configuration Interface
CVSS Base8.6
â
CRSSelect profile
CVE-2026-4396
8.3
ReportingMultiple Products
Improper certificate validation in Devolutions Hub Reporting Service
2025
CVSS Base8.3
â
CRSSelect profile
CVE-2026-31965
8.2
InforMultiple Products
HTSlib is a library for reading and writing bioinformatics file formats
CVSS Base8.2
â
CRSSelect profile
CVE-2025-55046
8.1
MuraCMSMultiple Products
MuraCMS through 10
CVSS Base8.1
â
CRSSelect profile
CVE-2026-32610
8.1
InforMultiple Products
Glances is an open-source system cross-platform monitoring tool
CVSS Base8.1
â
CRSSelect profile
CVE-2026-32634
8.1
UnknownMultiple Products
Glances is an open-source system cross-platform monitoring tool
CVSS Base8.1
â
CRSSelect profile
CVE-2026-31963
8.1
InforMultiple Products
HTSlib is a library for reading and writing bioinformatics file formats
CVSS Base8.1
â
CRSSelect profile
CVE-2026-31968
8.1
InforMultiple Products
HTSlib is a library for reading and writing bioinformatics file formats
CVSS Base8.1
â
CRSSelect profile
CVE-2026-31969
8.1
InforMultiple Products
HTSlib is a library for reading and writing bioinformatics file formats
CVSS Base8.1
â
CRSSelect profile
CVE-2026-31970
8.1
InforMultiple Products
HTSlib is a library for reading and writing bioinformatics file formats
CVSS Base8.1
â
CRSSelect profile
CVE-2026-31971
8.1
InforMultiple Products
HTSlib is a library for reading and writing bioinformatics file formats
CVSS Base8.1
â
CRSSelect profile
CVE-2025-15031
8.1
ArchMultiple Products
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries
CVSS Base8.1
â
CRSSelect profile
CVE-2026-29189
8.1
UnknownMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.1
â
CRSSelect profile
CVE-2026-4478
8.1
HomeMultiple Products
A vulnerability was identified in Yi Technology YI Home Camera 2 2
CVSS Base8.1
â
CRSSelect profile
CVE-2025-41258
8
LibreChatMultiple Products
LibreChat version 0
CVSS Base8
â
CRSSelect profile
CVE-2025-55041
8
MuraCMSMultiple Products
MuraCMS through 10
CVSS Base8
â
CRSSelect profile
CVE-2026-32014
8
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8
â
CRSSelect profile
CVE-2026-32813
8
UnknownMultiple Products
Admidio is an open-source user management solution
CVSS Base8
â
CRSSelect profile
CVE-2026-32692
7.6
Vault secretsMultiple Products
An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3
CVSS Base7.6
â
CRSSelect profile
CVE-2026-32728
7.6
ParseMultiple Products
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node