Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Yesterday's disclosures reveal 24 critical vulnerabilities affecting a broad range of products including HP FreeFlow and scripting components, WeGIA Web Manager, Xerox FreeFlow Core, and Copeland XWEB Pro â both scoring a perfect CVSS 10. Critical CVEs rose 33% from the prior day while high-priority vulnerabilities held steady at 97 (down 3%). Notable entries include CVE-2026-28409 in WeGIA Web Manager and CVE-2026-21718 in Copeland XWEB Pro, both with maximum severity scores, alongside multiple CVSS 9.8 flaws in SODOLA firmware, Totolink routers, and Vikunja project management software. Microsoft Windows and Office account for the majority of the 17 actively exploited vulnerabilities, with legacy flaws in Zimbra, GitLab, and Roundcube Webmail also under active exploitation. Patch availability currently sits at 0%, making compensating controls and network segmentation essential while vendors release fixes.
Two maximum-severity CVSS 10 vulnerabilities disclosed in WeGIA Web Manager (CVE-2026-28409) and Copeland XWEB Pro (CVE-2026-21718)
24 critical CVEs disclosed, a 33% increase from the prior day's 18
97 high-priority CVEs, a slight 3% decrease from the prior day's 100
Remote code execution and authentication bypass patterns dominate, affecting HP, Xerox FreeFlow Core, Totolink routers, SODOLA firmware, and OpenStack Vitrage
0% patch availability across all 121 disclosed CVEs â no vendor fixes currently released
17 actively exploited vulnerabilities spanning Microsoft Windows, Office, Apple OS, Google Chromium, and Roundcube Webmail
Immediate action: Prioritize mitigation for Microsoft Windows and Office systems, which represent the largest cluster of actively exploited vulnerabilities, and isolate any internet-facing Copeland XWEB Pro, WeGIA, and Roundcube Webmail instances. With 0% patch availability, apply network segmentation, restrict access to affected services, and monitor vendor advisories closely for upcoming fixes.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-21513
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(3 days remaining)
A protection mechanism failure in the MSHTML Framework allows an unauthenticated attacker to bypass security features over a network, potentially leading to unauthorized system access.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21525
9.5
MicrosoftWindows
â° Federal Deadline:March 2, 2026(3 days remaining)
Microsoft Windows NULL Pointer Dereference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21510
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(3 days remaining)
A protection mechanism failure in the Windows Shell allows an unauthenticated attacker to bypass security features over a network connection.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21533
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(3 days remaining)
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate their privileges locally on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21519
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(3 days remaining)
A type confusion vulnerability in the Desktop Window Manager (DWM) allows an authorized local attacker to elevate their privileges to a higher level.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21514
9.5đ
MicrosoftOffice
â° Federal Deadline:March 2, 2026(3 days remaining)
A security feature bypass vulnerability in Microsoft Office Word exists due to reliance on untrusted inputs, allowing an unauthorized local attacker to circumvent security protections.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-20700
9.5đ
AppleApple OS
â° Federal Deadline:March 4, 2026(5 days remaining)
A memory corruption vulnerability in Apple software was addressed through improved state management to prevent potential exploitation.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2024-43468
9.5đ Late Disclosure
MicrosoftConfiguration Manager
â° Federal Deadline:March 4, 2026(5 days remaining)
Microsoft Configuration Manager SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-15556
9.5
Notepad++Notepad++
â° Federal Deadline:March 4, 2026(5 days remaining)
Notepad++ Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2020-7796
9.5đ Late Disclosure
SynacorZimbra Collaboration Suite
â° Federal Deadline:March 9, 2026(10 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-7694
9.5đ Late Disclosure
TeamT5ThreatSonar Anti-Ransomware
â° Federal Deadline:March 9, 2026(10 days remaining)
TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2008-0015
9.5đ Late Disclosure
MicrosoftWindows
â° Federal Deadline:March 9, 2026(10 days remaining)
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-2441
9.5đ
GoogleChromium
â° Federal Deadline:March 9, 2026(10 days remaining)
Google Chrome is vulnerable to a "Use After Free" condition in its CSS engine, which could allow a remote attacker to execute arbitrary code via a crafted webpage.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-22175
9.5đ Late Disclosure
GitLabGitLab
â° Federal Deadline:March 10, 2026(11 days remaining)
GitLab Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-49113
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(13 days remaining)
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-68461
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(13 days remaining)
RoundCube Webmail Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-25108
9.5đ
Soliton Systems K.KFileZen
â° Federal Deadline:March 16, 2026(17 days remaining)
FileZen is affected by a high-severity OS command injection vulnerability that allows a threat actor to execute arbitrary commands on the underlying operating system.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-28409
10đ
WeGIAWeGIA Web Manager
A critical RCE vulnerability in WeGIA's database restoration allows administrative users to execute arbitrary OS commands via crafted filenames in backup uploads.
CVSS Base10
â
CRSSelect profile
CVE-2026-2251
9.8đ
XeroxFreeFlow Core
A path traversal vulnerability in Xerox FreeFlow Core allows unauthenticated attackers to access restricted directories, potentially leading to remote code execution (RCE).
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28408
9.8đ
HPdoes not
A missing authentication and permission check in WeGIA allows unauthenticated attackers to inject massive amounts of unauthorized data into the application server's storage.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28411
9.8đ
HPscripts
Unsafe use of the PHP extract() function in WeGIA allows unauthenticated attackers to overwrite local variables and bypass administrative authentication checks.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-12981
9.8đ
WordPressis vulnerable
The Listee theme for WordPress allows unauthenticated registration as an Administrator due to a broken validation check in the listee-core plugin's registration function.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-3301
9.8đ
TotolinkN300RH
A remote OS command injection vulnerability exists in the Totolink N300RH Web Management Interface due to improper handling of the webWlanIdx parameter.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-27751
9.8đ
SODOLASL902-SWTGW124AS Firmware
SODOLA SL902-SWTGW124AS firmware contains hardcoded default credentials, allowing remote attackers to gain full administrative control over the device management interface.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28268
9.8đ
VikunjaVikunja (vikunja/api)
A logic flaw in the Vikunja password reset mechanism allows reset tokens to be reused indefinitely, enabling persistent account takeover if a token is intercepted.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28370
9.1đ
OpenStackVitrage
OpenStack Vitrage contains a code execution vulnerability in its query parser, allowing authenticated API users to execute arbitrary code on the service host.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-21718
10đ
CopelandXWEB Pro
Copeland XWEB Pro suffers from an authentication bypass vulnerability that allows unauthenticated attackers to achieve remote code execution.
CVSS Base10
â
CRSSelect profile
CVE-2026-24663
9đ
CopelandXWEB Pro
An unauthenticated OS command injection vulnerability in Copeland XWEB Pro allows remote code execution via a crafted request to the libraries installation route.
CVSS Base9
â
CRSSelect profile
CVE-2025-11251
9.8đ
Dayneks SoftwareE-Commerce Platform
The Dayneks E-Commerce Platform is vulnerable to SQL injection due to improper neutralization of special elements in SQL commands, potentially exposing the entire database.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-11252
9.8đ
Signum TechnologyWindesk.Fm
Signum Technology's Windesk.Fm platform contains an SQL injection vulnerability that allows attackers to execute arbitrary database commands via unsanitized inputs.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-28363
9.9đ
ABBOpenClaw
OpenClaw contains an input validation bypass in its `tools.exec.safeBins` component, where GNU long-option abbreviations can be used to execute unauthorized commands.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-2749
9.9đ
LinuxCentreon Open Tickets Module
The Centreon Open Tickets module on Central Server contains a critical vulnerability that could lead to unauthorized system access or compromise.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-24352
9.8đ
PluXmlPluXml CMS
PluXml CMS is vulnerable to session fixation, allowing unauthenticated attackers to pre-set a victim's session ID and hijack the session after the victim logs in.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-27755
9.8đ
SODOLASL902-SWTGW124AS Firmware
SODOLA SL902-SWTGW124AS firmware generates predictable MD5-based session identifiers, allowing attackers to forge authenticated sessions and bypass the login flow.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-20781
9.4đ
OCPP ImplementationsOCPP WebSocket Endpoint
A lack of authentication in OCPP WebSocket endpoints allows unauthenticated attackers to impersonate charging stations and manipulate charging network data.
CVSS Base9.4
â
CRSSelect profile
CVE-2026-24731
9.4đ
OCPP ImplementationsOCPP WebSocket Endpoint
Unauthenticated attackers can impersonate EV charging stations due to missing authentication mechanisms in OCPP WebSocket endpoints, enabling data manipulation.
CVSS Base9.4
â
CRSSelect profile
CVE-2026-25851
9.4đ
OCPP ImplementationsOCPP WebSocket Endpoint
OCPP WebSocket endpoints lack authentication, allowing unauthenticated attackers to impersonate legitimate charging stations and issue unauthorized commands.
CVSS Base9.4
â
CRSSelect profile
CVE-2026-27767
9.4đ
OCPP ImplementationsOCPP WebSocket Endpoint
Unauthenticated attackers can perform station impersonation and manipulate backend data due to a lack of authentication on OCPP WebSocket endpoints.
WebSocket endpoints lack authentication, allowing unauthenticated attackers to impersonate charging stations and manipulate backend data via the Open Charge Point Protocol.
Unauthenticated attackers can perform station impersonation and manipulate backend data due to a lack of proper authentication on OCPP WebSocket endpoints.
CVSS Base9.4
â
CRSSelect profile
CVE-2026-2750
9.1đ
LinuxCentreon Open Tickets Module
An improper input validation vulnerability in Centreon Open Tickets allows attackers to submit malicious data that could compromise the Central Server.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2019-25490
8.2đ Late Disclosure
HPendpoint with
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25491
8.2đ Late Disclosure
HPendpoint with
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25492
8.2đ Late Disclosure
HPendpoint with
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25493
8.2đ Late Disclosure
HPendpoint with
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2026-2471
7.5
WordPressis vulnerable
The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-2252
7.5
performFreeFlow Core
An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references
CVSS Base7.5
â
CRSSelect profile
CVE-2026-27836
7.5
HPMultiple Products
phpMyFAQ is an open source FAQ web application
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25489
8.2đ Late Disclosure
InforMultiple Products
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2025-13673
7.5
WordPressis vulnerable
The Tutor LMS â eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3
CVSS Base7.5
â
CRSSelect profile
CVE-2026-1565
8.8
WordPressis vulnerable
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4
CVSS Base8.8
â
CRSSelect profile
CVE-2026-22206
8.8
HPtag processing
SPIP versions prior to 4
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2428
7.5
WordPressis vulnerable
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25495
8.2đ Late Disclosure
HPwith malicious
osCommerce 2
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25496
8.2đ Late Disclosure
HPrequests and
osCommerce 2
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25497
8.2đ Late Disclosure
HPwith malicious
osCommerce 2
CVSS Base8.2
â
CRSSelect profile
CVE-2026-28402
7.1
LGMultiple Products
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm
CVSS Base7.1
â
CRSSelect profile
CVE-2026-22205
7.5
HPtype juggling
SPIP versions prior to 4
CVSS Base7.5
â
CRSSelect profile
CVE-2026-28400
7.5
DockerModel Runner
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3261
7.3
HPof the
A flaw has been found in itsourcecode School Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0980
8.3
RedSatellite
A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite
CVSS Base8.3
â
CRSSelect profile
CVE-2025-40932
8.2
versionsMultiple Products
Apache::SessionX versions through 2
CVSS Base8.2
â
CRSSelect profile
CVE-2026-28406
8.2đ
KubernetesKaniko
A high-severity vulnerability in Kaniko, a container image builder, could allow attackers to compromise build environments within Kubernetes clusters.
CVSS Base8.2
â
CRSSelect profile
CVE-2025-71057
8.2
D-LinkWireless
Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1
CVSS Base8.2
â
CRSSelect profile
CVE-2026-25147
7.1
HPMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base7.1
â
CRSSelect profile
CVE-2026-28416
8.2
GradioMultiple Products
Gradio is an open-source Python package designed for quick prototyping
CVSS Base8.2
â
CRSSelect profile
CVE-2026-3271
8.8
TendaF453
A vulnerability was found in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3272
8.8
TendaF453
A vulnerability was determined in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3273
8.8
TendaF453
A vulnerability was identified in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3274
8.8
TendaF453
A security flaw has been discovered in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3275
8.8
TendaF453
A weakness has been identified in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-28414
7.5
GradioMultiple Products
Gradio is an open-source Python package designed for quick prototyping
CVSS Base7.5
â
CRSSelect profile
CVE-2026-28216
8.3
UnknownMultiple Products
hoppscotch is an open source API development ecosystem
CVSS Base8.3
â
CRSSelect profile
CVE-2026-28372
7.4
inetutilsin release
telnetd in GNU inetutils through 2
CVSS Base7.4
â
CRSSelect profile
CVE-2026-3071
8.4
fromMultiple Products
Deserialization of untrusted data in the LanguageModel class of Flair from versions 0
CVSS Base8.4
â
CRSSelect profile
CVE-2026-2751
8.3
LinuxMultiple Products
Blind SQL Injection via unsanitized array keys in Service Dependencies deletion
CVSS Base8.3
â
CRSSelect profile
CVE-2019-25494
8.2đ Late Disclosure
administrationMultiple Products
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields
CVSS Base8.2
â
CRSSelect profile
CVE-2026-27939
8.8
UnknownMultiple Products
Statmatic is a Laravel and Git powered content management system (CMS)
CVSS Base8.8
â
CRSSelect profile
CVE-2026-28274
8.7
UnknownMultiple Products
Initiative is a self-hosted project management platform
CVSS Base8.7
â
CRSSelect profile
CVE-2025-69437
8.7
UnknownMultiple Products
PublicCMS v5
CVSS Base8.7
â
CRSSelect profile
CVE-2026-28426
8.7
svgMultiple Products
Statmatic is a Laravel and Git powered content management system (CMS)
CVSS Base8.7
â
CRSSelect profile
CVE-2026-27776
7.2
UnknownMultiple Products
IM-LogicDesigner module of intra-mart Accel Platform contains insecure deserialization issue
CVSS Base7.2
â
CRSSelect profile
CVE-2026-26938
8.6
TemplateMultiple Products
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242)
CVSS Base8.6
â
CRSSelect profile
CVE-2026-25085
8.6
ProMultiple Products
A vulnerability exists in Copeland XWEB Pro version 1
CVSS Base8.6
â
CRSSelect profile
CVE-2026-26861
8.3
SDKMultiple Products
CleverTap Web SDK version 1
CVSS Base8.3
â
CRSSelect profile
CVE-2026-26862
8.3
SDKMultiple Products
CleverTap Web SDK version 1
CVSS Base8.3
â
CRSSelect profile
CVE-2026-23750
8.1
PouchMultiple Products
Golioth Pouch version 0
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28275
8.1
UnknownMultiple Products
Initiative is a self-hosted project management platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28272
8.1
KiteworksMultiple Products
Kiteworks is a private data network (PDN)
CVSS Base8.1
â
CRSSelect profile
CVE-2026-27509
8
UnitreeMultiple Products
Unitree Go2 firmware versions V1
CVSS Base8
â
CRSSelect profile
CVE-2026-20742
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-20902
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-20910
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-21389
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-24517
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-24689
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-24695
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-25109
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-25111
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-25195
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-20764
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-23702
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-24452
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-25037
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-25105
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-25196
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-25721
8
ProMultiple Products
An OS command injection
vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-3037
8
ProMultiple Products
An OS command injection vulnerability exists in XWEB Pro version 1
CVSS Base8
â
CRSSelect profile
CVE-2026-28425
8
UnknownMultiple Products
Statmatic is a Laravel and Git powered content management system (CMS)
CVSS Base8
â
CRSSelect profile
CVE-2026-28364
7.9
OCamlMultiple Products
In OCaml before 4
CVSS Base7.9
â
CRSSelect profile
CVE-2026-26682
7.8
UnknownMultiple Products
An issue in fastCMS before v
CVSS Base7.8
â
CRSSelect profile
CVE-2026-28211
7.8
UnknownMultiple Products
The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing
CVSS Base7.8
â
CRSSelect profile
CVE-2026-1442
7.8
LGMultiple Products
Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an unauthorized user, and then trusted by a Unitree product, such as the Unitree Go2 and other models
CVSS Base7.8
â
CRSSelect profile
CVE-2025-14343
7.6
Dokuzsoft TechnologyMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd
CVSS Base7.6
â
CRSSelect profile
CVE-2026-26078
7.5
UnknownMultiple Products
Discourse is an open source discussion platform
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26265
7.5
directoryMultiple Products
Discourse is an open source discussion platform
CVSS Base7.5
â
CRSSelect profile
CVE-2026-27141
7.5
runningMultiple Products
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVSS Base7.5
â
CRSSelect profile
CVE-2026-27449
7.5đ
IntelUmbraco Engage
Umbraco Engage, a business intelligence platform, is affected by a high-severity vulnerability that could lead to unauthorized platform access.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-28276
7.5
UnknownMultiple Products
Initiative is a self-hosted project management platform
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20792
7.5
UnknownMultiple Products
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests
CVSS Base7.5
â
CRSSelect profile
CVE-2026-25113
7.5
UnknownMultiple Products
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests
CVSS Base7.5
â
CRSSelect profile
CVE-2026-25114
7.5
UnknownMultiple Products
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests
CVSS Base7.5
â
CRSSelect profile
CVE-2026-25945
7.5
UnknownMultiple Products
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests
CVSS Base7.5
â
CRSSelect profile
CVE-2026-2597
7.5
versionsMultiple Products
Crypt::SysRandom::XS versions before 0
CVSS Base7.5
â
CRSSelect profile
CVE-2026-24445
7.5
UnknownMultiple Products
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26305
7.5
UnknownMultiple Products
The WebSocket Application Programming Interface lacks restrictions on
the number of authentication requests
CVSS Base7.5
â
CRSSelect profile
CVE-2025-10990
7.5
UnknownMultiple Products
A flaw was found in REXML
CVSS Base7.5
â
CRSSelect profile
CVE-2026-28279
7.3
UnknownMultiple Products
osctrl is an osquery management solution
CVSS Base7.3
â
CRSSelect profile
CVE-2026-20895
7.3
UnknownMultiple Products
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier
CVSS Base7.3
â
CRSSelect profile
CVE-2026-25711
7.3
UnknownMultiple Products
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier
CVSS Base7.3
â
CRSSelect profile
CVE-2026-25778
7.3
UnknownMultiple Products
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier
CVSS Base7.3
â
CRSSelect profile
CVE-2026-27652
7.3
UnknownMultiple Products
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier
CVSS Base7.3
â
CRSSelect profile
CVE-2026-26290
7.3
UnknownMultiple Products
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier
CVSS Base7.3
â
CRSSelect profile
CVE-2026-27647
7.3
UnknownMultiple Products
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier
CVSS Base7.3
â
CRSSelect profile
CVE-2026-27707
7.3
discoveryMultiple Products
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby
CVSS Base7.3
â
CRSSelect profile
CVE-2026-25741
7.1
UnknownMultiple Products
Zulip is an open-source team collaboration tool
CVSS Base7.1
â
CRSSelect profile
CVE-2026-27638
7.1
UnknownMultiple Products
Actual is a local-first personal finance tool
CVSS Base7.1
â
CRSSelect profile
CVE-2026-27757
7.1
versionsMultiple Products
SODOLA SL902-SWTGW124AS firmware versions through 200