Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Friday's vulnerability disclosures reveal 32 critical-severity flaws across widely deployed platforms including WordPress, Microsoft Devices, Nginx UI, and Google Chat. Critical CVEs jumped 256% from the prior day's 9 to 32, while high-priority vulnerabilities rose 43% to 100. Notable critical disclosures include CVE-2026-0848 (CVSS 10.0) in NLTK, CVE-2026-2599 (CVSS 9.8) in WordPress, and CVE-2026-21536 (CVSS 9.8) in Microsoft Devices Pricing. Remote code execution and authentication bypass patterns are prominent across messaging platforms including Telegram, Slack, and Google Chat integrations. Patch availability currently sits at 0%, requiring organizations to prioritize compensating controls and network segmentation for affected systems.
CVE-2026-0848 in NLTK rated CVSS 10.0 â highest severity score in today's disclosures
32 critical CVEs disclosed, up 256% from 9 the prior day
100 high-priority vulnerabilities, a 43% increase over the previous day's 70
RCE and injection flaws affect WordPress, Nginx UI, Telegram, Slack, and Google Chat integrations
0% patch availability across all 132 disclosed CVEs â compensating controls recommended
15 actively exploited vulnerabilities spanning Zimbra, GitLab, Roundcube, VMware, and Apple products
Immediate action: Prioritize compensating controls for internet-facing WordPress, Nginx UI, and messaging platform integrations (Telegram, Slack, Google Chat) until vendor patches become available. Review exposure to the 15 actively exploited vulnerabilities affecting Zimbra, GitLab, Roundcube, VMware Aria Operations, and Apple products, and apply any existing mitigations or vendor advisories immediately.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2020-7796
9.5đ Late Disclosure
SynacorZimbra Collaboration Suite
â° Federal Deadline:March 9, 2026(4 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2024-7694
9.5đ Late Disclosure
TeamT5ThreatSonar Anti-Ransomware
â° Federal Deadline:March 9, 2026(4 days remaining)
TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2008-0015
9.5đ Late Disclosure
MicrosoftWindows
â° Federal Deadline:March 9, 2026(4 days remaining)
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-2441
9.5đ
GoogleChromium
â° Federal Deadline:March 9, 2026(4 days remaining)
Google Chrome is vulnerable to a "Use After Free" condition in its CSS engine, which could allow a remote attacker to execute arbitrary code via a crafted webpage.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-22175
9.5đ Late Disclosure
GitLabGitLab
â° Federal Deadline:March 10, 2026(5 days remaining)
GitLab Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-49113
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(7 days remaining)
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-68461
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(7 days remaining)
RoundCube Webmail Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-25108
9.5đ
Soliton Systems K.KFileZen
â° Federal Deadline:March 16, 2026(11 days remaining)
FileZen is affected by a high-severity OS command injection vulnerability that allows a threat actor to execute arbitrary commands on the underlying operating system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-22719
9.5đ
BroadcomVMware Aria Operations
â° Federal Deadline:March 23, 2026(18 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21385
9.5đ
QualcommMultiple Chipsets
â° Federal Deadline:March 23, 2026(18 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2017-7921
9.5đ Late Disclosure
HikvisionMultiple Products
â° Federal Deadline:March 25, 2026(20 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-22681
9.5đ Late Disclosure
RockwellMultiple Products
â° Federal Deadline:March 25, 2026(20 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2023-43000
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(20 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-30952
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(20 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2023-41974
9.5đ Late Disclosure
AppleiOS and iPadOS
â° Federal Deadline:March 25, 2026(20 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-2599
9.8đ
WordPressis vulnerable
The Database for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection via the 'download_csv' function. This could lead to code execution if a POP chain is present.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-21536
9.8đ
MicrosoftDevices Pricing
A remote code execution vulnerability exists in the Microsoft Devices Pricing Program. An attacker could exploit this to execute arbitrary code on the affected system with high privileges.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-27944
9.8đ
NginxUI is
Nginx UI prior to 2.3.3 allows unauthenticated access to the backup endpoint, exposing encryption keys in response headers and enabling full system backup decryption and theft.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28501
9.8
HPand objects
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-0848
10đ
NLTKNLTK
NLTK versions 3.9.2 and earlier are vulnerable to Remote Code Execution via improper validation of Java JAR files in the StanfordSegmenter module during the import process.
CVSS Base10
â
CRSSelect profile
CVE-2026-28469
9.8đ
GoogleChat monitor
A webhook routing vulnerability in OpenClaw's Google Chat monitor allows cross-account policy misrouting. Attackers can bypass allowlists by exploiting first-match request verification semantics.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28391
9.8đ
OpenClaw versionsOpenClaw
OpenClaw prior to 2026.2.2 is vulnerable to command injection because it fails to sanitize Windows cmd.exe metacharacters, allowing attackers to bypass command approval restrictions.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-69338
9.3đ
donRiode Core
The Riode Core plugin for WordPress is vulnerable to Blind SQL Injection due to improper neutralization of special elements, affecting versions up to 1.6.26.
CVSS Base9.3
â
CRSSelect profile
CVE-2026-28454
9.8
Telegramwebhook mode
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28392
9.8đ
Slackslash
OpenClaw versions prior to 2026.2.14 contain a privilege escalation flaw in the Slack slash-command handler that allows unauthorized users to execute privileged commands via direct messages.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28446
9.8
OpenClaw versionsMultiple Products
OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-1678
9.4đ
Zephyr ProjectZephyr RTOS
A buffer management flaw in dns_unpack_name() allows unauthenticated attackers to trigger an out-of-bounds write via malicious DNS responses when CONFIG_DNS_RESOLVER is enabled.
CVSS Base9.4
â
CRSSelect profile
CVE-2025-68553
9.9
zozothemes LendizMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Lendiz lendiz allows Upload a Web Shell to a Web Server.This issue affects Lendiz: from n/a through < 2.0.1.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-68555
9.9
zozothemes NutrieMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through < 2.0.1.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-28464
9.8
OpenClaw versionsMultiple Products
OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually determine the authentication token.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28472
9.8
OpenClaw versionsMultiple Products
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28473
9.8
OpenClaw versionsMultiple Products
OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client, bypassing the operator.approvals permission check that protects direct RPC calls.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54001
9.8
ThemeREX ClassterMultiple Products
Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28074
9.8
ThemeREX PizzaMultiple Products
Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28105
9.8
ThemeREX GoodMultiple Products
Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28536
9.6đ
the deviceDevice Authentication Module
An authentication bypass vulnerability in a device authentication module allows unauthenticated attackers to compromise the integrity and confidentiality of the affected system.
CVSS Base9.6
â
CRSSelect profile
CVE-2026-22552
9.4đ
OCPP (Open Charge Point Protocol)WebSocket Endpoints
OCPP WebSocket endpoints lack authentication, allowing unauthenticated attackers to impersonate charging stations. This enables unauthorized control of charging infrastructure and data corruption.
CVSS Base9.4
â
CRSSelect profile
CVE-2026-28115
9.3
loopus WPMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Blind SQL Injection.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-40926
9.8đ
Perl (CPAN)Plack::Middleware::Session::Simple
Plack::Middleware::Session::Simple for Perl generates session IDs insecurely using predictable seeds. This allows attackers to guess session IDs and hijack user sessions.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-3257
9.8
UnQLite versionsMultiple Products
UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library.
UnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable to a heap-based overflow.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-3381
9.8đ
Perl (CPAN)Compress::Raw::Zlib
Compress::Raw::Zlib for Perl bundles an insecure version of the zlib library (CVE-2026-27171). Updating to version 2.220 resolves these underlying security issues.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28470
9.8
OpenClaw versionsMultiple Products
OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28474
9.8đ
OpenClawNextcloud Talk plugin
OpenClaw's Nextcloud Talk plugin uses mutable display names for allowlist validation. Attackers can bypass access controls by changing their display name to match an allowlisted ID.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28484
9.8
OpenClaw versionsMultiple Products
OpenClaw versions prior to 2026.2.15 contain an option injection vulnerability in the git-hooks/pre-commit hook that allows attackers to stage ignored files by creating maliciously-named files beginning with dashes. The hook fails to use a -- separator when piping filenames through xargs to git add, enabling attackers to inject git flags and add sensitive ignored files like .env to git history.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-29058
9.8đ
AVideoVideo-sharing Platform
AVideo is vulnerable to unauthenticated command injection via the base64Url parameter. Attackers can execute arbitrary OS commands, leading to full server compromise.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-2331
9.8đ
AppEngineFileaccess over HTTP
AppEngine's Fileaccess over HTTP feature lacks proper access restrictions, allowing unauthenticated read/write access to sensitive filesystem areas, including device parameters and Lua code.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-2330
9.4đ
CROWNREST interface
The CROWN REST interface fails to enforce whitelists on internal testing directories. Unauthenticated attackers can upload manipulated parameter files to modify critical device settings.
CVSS Base9.4
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2019-25499
8.2đ Late Disclosure
HPwith malicious
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25501
8.2đ Late Disclosure
HPwith crafted
Simple Job Script contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the app_id parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25507
8.2đ Late Disclosure
HPwith malicious
Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2026-20103
8.6đ
CiscoSecure Firewall
An unauthenticated, remote vulnerability in Cisco ASA and FTD Software allows attackers to exhaust device memory via SSL VPN functionality, leading to a persistent Denial of Service (DoS) condition.
CVSS Base8.6
â
CRSSelect profile
CVE-2026-28007
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coinpress coinpress allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28010
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Scientia scientia allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28012
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gridiron gridiron allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28045
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX N7 | Golf Club Sports & Events n7-golf-club allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28047
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Victo victo allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28049
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Police Department police-department allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28051
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yacht Rental yacht-rental allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28052
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Peter Mason petermason allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28053
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Miller christine-miller allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28054
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legal Stone legal-stone allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28056
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX MCKinney's Politics mckinney-politics allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28057
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Mandala mandala allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28058
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Dixon dixon allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28059
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Dermatology Clinic dermatology-clinic allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28060
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX S
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28061
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tiger Claw tiger-claw allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28062
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Happy Baby happy-baby allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28063
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Asia Garden asia-garden allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28064
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Edge Decor edge-decor allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28065
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Eject eject allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28066
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legrand legrand allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28067
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bassein bassein allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28068
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Rhythmo rhythmo allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28069
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Le Truffe letruffe allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28077
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28079
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Conquerors conquerors allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28081
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28084
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bazinga bazinga allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28085
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Mahogany mahogany allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28086
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Run Gran run-gran allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28087
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Filmax filmax allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28088
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aqualots aqualots allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28089
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Daiquiri daiquiri allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28090
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gamezone gamezone allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28091
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coleo coleo allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28092
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Sounder sounder allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28093
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28094
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX RexCoin rexcoin allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28095
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28096
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX WealthCo wealthco allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28097
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Artrium artrium allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28098
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Save Life save-life allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28107
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Muzicon muzicon allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28117
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28118
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Welldone welldone allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28119
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Nirvana nirvana allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28120
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Dr
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28121
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Anderson andersonclinic allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28123
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Veil veil allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28124
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Notarius notarius allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28125
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Midi midi allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28128
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Verse verse allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28129
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Little Birdies little-birdies allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-3544
8.8
GoogleChrome prior
Heap buffer overflow in WebCodecs in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3536
8.8
GoogleChrome prior
Integer overflow in ANGLE in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3537
8.8
GoogleChrome on
Object lifecycle issue in PowerVR in Google Chrome on Android prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3538
8.8
GoogleChrome prior
Integer overflow in Skia in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3539
8.8đ
GoogleChrome prior
Google Chrome versions prior to 145 are vulnerable to an object lifecycle flaw within the DevTools component, potentially leading to memory corruption or arbitrary code execution.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3540
8.8
GoogleChrome prior
Inappropriate implementation in WebAudio in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3541
8.8
GoogleChrome prior
Inappropriate implementation in CSS in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3542
8.8
GoogleChrome prior
Inappropriate implementation in WebAssembly in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3543
8.8
GoogleChrome prior
Inappropriate implementation in V8 in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25888
8.8
UnknownMultiple Products
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts
CVSS Base8.8
â
CRSSelect profile
CVE-2026-20002
8.1đ
CiscoSecure FMC
The web-based management interface of Cisco Secure FMC Software is vulnerable to an authenticated SQL injection attack, allowing attackers to manipulate or extract sensitive database information.
CVSS Base8.1
â
CRSSelect profile
CVE-2026-3459
8.1
WordPressis vulnerable
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1
CVSS Base8.1
â
CRSSelect profile
CVE-2026-20039
8.6
CiscoSecure Firewall
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device
CVSS Base8.6
â
CRSSelect profile
CVE-2026-20082
8.6
CiscoSecure Firewall
A vulnerability in the handling of the embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause incoming TCP SYN packets to be dropped incorrectly
CVSS Base8.6
â
CRSSelect profile
CVE-2026-20101
8.6
CiscoSecure Firewall
A vulnerability in the SAML 2
CVSS Base8.6
â
CRSSelect profile
CVE-2019-25498
8.2đ Late Disclosure
ArchMultiple Products
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25500
8.2đ Late Disclosure
SimpleMultiple Products
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25504
8.2đ Late Disclosure
InforMultiple Products
NCrypted Jobgator contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the experience parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2026-1321
8.1
WordPressis vulnerable
The Membership Plugin â Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3
CVSS Base8.1
â
CRSSelect profile
CVE-2026-1720
8.8
WordPressis vulnerable
The WowOptin: Next-Gen Popup Maker â Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25506
8.2đ Late Disclosure
HPMultiple Products
FreeSMS 2
CVSS Base8.2
â
CRSSelect profile
CVE-2026-28676
8.8
Archand generative
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI
CVSS Base8.8
â
CRSSelect profile
CVE-2026-28683
8.7
sharingMultiple Products
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support
CVSS Base8.7
â
CRSSelect profile
CVE-2026-28677
8.2
Archand generative
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI
CVSS Base8.2
â
CRSSelect profile
CVE-2026-28134
8.5
Crocoblock JetEngineMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion
CVSS Base8.5
â
CRSSelect profile
CVE-2026-3047
8.8
UnknownMultiple Products
A flaw was found in org
CVSS Base8.8
â
CRSSelect profile
CVE-2026-28466
8.8
priorMultiple Products
OpenClaw versions prior to 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2025-55289
8.8
ChamiloMultiple Products
Chamilo is a learning management system
CVSS Base8.8
â
CRSSelect profile
CVE-2026-29041
8.8
UnknownMultiple Products
Chamilo is a learning management system
CVSS Base8.8
â
CRSSelect profile
CVE-2026-26022
8.7
UnknownMultiple Products
Gogs is an open source self-hosted Git service
CVSS Base8.7
â
CRSSelect profile
CVE-2026-0847
8.6
NLTK versions up toMultiple Products
A vulnerability in NLTK versions up to and including 3
CVSS Base8.6
â
CRSSelect profile
CVE-2026-26125
8.6
PaymentMultiple Products
Payment Orchestrator Service Elevation of Privilege Vulnerability
CVSS Base8.6
â
CRSSelect profile
CVE-2026-28679
8.6
UnknownMultiple Products
Home-Gallery
CVSS Base8.6
â
CRSSelect profile
CVE-2026-28442
8.5
UnknownMultiple Products
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI
CVSS Base8.5
â
CRSSelect profile
CVE-2026-28456
8.4
OpenClawMultiple Products
OpenClaw versions 2026
CVSS Base8.4
â
CRSSelect profile
CVE-2026-28463
8.4
UnknownMultiple Products
OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via glob patterns or environment variables
CVSS Base8.4
â
CRSSelect profile
CVE-2026-28485
8.4
OpenClawMultiple Products
OpenClaw versions 2026
CVSS Base8.4
â
CRSSelect profile
CVE-2026-27802
8.3
compatibleMultiple Products
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
CVSS Base8.3
â
CRSSelect profile
CVE-2026-27803
8.3
compatibleMultiple Products
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
CVSS Base8.3
â
CRSSelect profile
CVE-2026-28787
8.2
UnknownMultiple Products
OneUptime is a solution for monitoring and managing online services
CVSS Base8.2
â
CRSSelect profile
CVE-2026-3009
8.1
UnknownMultiple Products
A security flaw in the IdentityBrokerService
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28710
8.1
LinuxMultiple Products
Sensitive information disclosure and manipulation due to improper authentication