Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Friday's vulnerability landscape is dominated by critical flaws affecting Microsoft Bing, Microsoft Entra ID, and HP enterprise products, with two CVSS 10.0 issues requiring immediate attention. The day brought 37 critical CVEs (up 147% from yesterday) and 91 high-priority CVEs (down 9% from yesterday). Notable disclosures include CVE-2026-33819 affecting Microsoft Bing, CVE-2026-35431 in Microsoft Entra ID, and CVE-2026-41228 enabling code execution in HP products. Remote code execution and authentication bypass patterns dominate today's disclosures, with WordPress, Google Chrome, and Microsoft Dynamics also affected. No patches are currently available for these disclosures, requiring defensive monitoring and compensating controls until vendor fixes ship.
Microsoft products lead disclosures with critical flaws in Bing, Entra ID, Partner Center, and Dynamics
37 critical CVEs disclosed, a 147% increase from yesterday's 15
91 high-priority CVEs disclosed, a 9% decrease from yesterday's 100
Remote code execution and authentication bypass patterns affect HP, WordPress, and Google Chrome
0% patch availability across critical disclosures requires immediate compensating controls
15 actively exploited vulnerabilities span Microsoft Office, Adobe Acrobat, Apache ActiveMQ, and JetBrains TeamCity
Immediate action: Security teams should prioritize Microsoft Bing, Entra ID, and HP enterprise systems for immediate review, alongside WordPress and Google Chrome deployments exposed to the internet. With 0% patch availability for today's critical disclosures, implement network segmentation, enhanced monitoring, and access restrictions on affected systems while tracking vendor advisories for forthcoming fixes.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2012-1854
9.5π Late Disclosure
MicrosoftVisual Basic for Applications (VBA)
β° Federal Deadline:April 26, 2026(3 days remaining)
Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-60710
9.5
MicrosoftWindows
β° Federal Deadline:April 26, 2026(3 days remaining)
Microsoft Windows Link Following Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2023-21529
9.5π Late Disclosure
MicrosoftExchange Server
β° Federal Deadline:April 26, 2026(3 days remaining)
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2023-36424
9.5π Late Disclosure
MicrosoftWindows
β° Federal Deadline:April 26, 2026(3 days remaining)
Microsoft Windows Out-of-Bounds Read Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2020-9715
9.5π Late Disclosure
AdobeAcrobat
β° Federal Deadline:April 26, 2026(3 days remaining)
Adobe Acrobat Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-34621
9.5π
AdobeAcrobat and Reader
β° Federal Deadline:April 26, 2026(3 days remaining)
Adobe Acrobat Reader is vulnerable to prototype pollution, which can result in arbitrary code execution when a victim opens a malicious file.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2009-0238
9.5π Late Disclosure
MicrosoftOffice
β° Federal Deadline:April 27, 2026(4 days remaining)
Microsoft Office Remote Code Execution - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-32201
9.5
MicrosoftSharePoint Server
β° Federal Deadline:April 27, 2026(4 days remaining)
Microsoft SharePoint Server Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-34197
9.5
ApacheActiveMQ
β° Federal Deadline:April 29, 2026(6 days remaining)
Apache ActiveMQ Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-2749
9.5
KenticoKentico Xperience
β° Federal Deadline:May 3, 2026(10 days remaining)
Kentico Xperience Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-27351
9.5π Late Disclosure
PaperCutNG/MF
β° Federal Deadline:May 3, 2026(10 days remaining)
PaperCut NG/MF Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-32975
9.5
QuestKACE Systems Management Appliance (SMA)
β° Federal Deadline:May 3, 2026(10 days remaining)
Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2024-27199
9.5π Late Disclosure
JetBrainsTeamCity
β° Federal Deadline:May 3, 2026(10 days remaining)
JetBrains TeamCity Relative Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-33825
9.5
MicrosoftDefender
β° Federal Deadline:May 5, 2026(12 days remaining)
Microsoft Defender Insufficient Granularity of Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-39987
9.5
MarimoMarimo
β° Federal Deadline:May 6, 2026(13 days remaining)
Marimo Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-41228
9.9π
HPcode execution
A path traversal flaw in the Froxlor API allows authenticated customers to execute arbitrary PHP code via the `def_language` parameter.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-41229
9.1π
HPstring literals
An injection vulnerability in Froxlor's `PhpHelper` allows administrators to inject and execute arbitrary PHP code via unescaped string literals.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-6920
9.6π
GoogleChrome on
An out-of-bounds read vulnerability in the Google Chrome GPU process on Android allows a remote attacker to achieve sandbox escape via a crafted HTML page.
CVSS Base9.6
β
CRSSelect profile
CVE-2026-33819
10π
MicrosoftBing allows
A deserialization vulnerability in Microsoft Bing allows an unauthorized remote attacker to execute arbitrary code via the network.
CVSS Base10
β
CRSSelect profile
CVE-2026-3844
9.8π
WordPressis vulnerable
The Breeze Cache plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads via the Gravatar fetching function.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6887
9.8
BorgMultiple Products
Borg SPM 2007 (Sales Ended in 2008)Β developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-41460
9.8
SocialEngineMultiple Products
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-35431
10π
MicrosoftEntra ID
A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Entra ID Entitlement Management allows unauthorized attackers to perform spoofing over a network.
CVSS Base10
β
CRSSelect profile
CVE-2026-24303
9.6π
MicrosoftPartner Center
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
CVSS Base9.6
β
CRSSelect profile
CVE-2026-32210
9.3π
MicrosoftDynamics
A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
CVSS Base9.3
β
CRSSelect profile
CVE-2026-40470
9.9π
Haskell.orgHackage Server
A Cross-Site Scripting (XSS) vulnerability in the Hackage server allows an attacker to hijack user sessions by serving malicious JavaScript via uploaded documentation or source packages.
CVSS Base9.9
β
CRSSelect profile
CVE-2025-62373
9.8π
PipecatPipecat
A deserialization vulnerability in the `LivekitFrameSerializer` class of the Pipecat framework allows remote attackers to execute arbitrary code via malicious pickle payloads.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-26210
9.8
KTransformersMultiple Products
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1949
9.8
DeltaElectronics AS320T
Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-41679
10π
PaperclipPaperclip
An unauthenticated remote code execution vulnerability exists in Paperclip due to improper handling of API calls in default configurations.
CVSS Base10
β
CRSSelect profile
CVE-2026-6886
9.8
BorgMultiple Products
Borg SPM 2007 (Sales Ended in 2008)Β developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-23751
9.8
KofaxMultiple Products
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6942
9.8π
Radareradare2-mcp
An OS command injection vulnerability in radare2-mcp allows unauthenticated remote attackers to execute arbitrary commands via the JSON-RPC interface.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1950
9.8
DeltaElectronics AS320T
Delta Electronics AS320T has
No checking of the length of the buffer with the file name vulnerability.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1951
9.8
DeltaElectronics AS320T
Delta Electronics AS320T has no checking of the length of the buffer with the directory name
vulnerability.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1952
9.8
DeltaElectronics AS320T
Delta Electronics AS320T has denial of service via the undocumented subfunctionΒ vulnerability.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-39440
9.9
Funnelforms LLCMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-6885
9.8
BorgMultiple Products
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-39087
9.8π
Ntfyntfy.sh
A vulnerability in the `parseActions` function of ntfy.sh allows remote attackers to execute arbitrary code.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-25775
9.8
SenseLiveΒ X3050Multiple Products
A vulnerability inΒ SenseLiveΒ X3050βs remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-27843
9.1π
SenseLiveX3050
A vulnerability in the SenseLive X3050 web management interface allows unauthorized modification of configuration parameters, leading to a persistent Denial-of-Service (DoS).
CVSS Base9.1
β
CRSSelect profile
CVE-2026-29198
9.8π
Rocket.ChatRocket.Chat
A NoSQL injection vulnerability in Rocket.Chat allows unauthenticated attackers to perform account takeovers of the first user when a specific OAuth configuration is present.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40472
9.9π
Haskellhackage-server
The hackage-server application fails to sanitize user-controlled metadata from .cabal files, leading to a stored Cross-Site Scripting (XSS) vulnerability.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-31175
9.8π
ToToLinkA3300R
The ToToLink A3300R firmware contains a command injection vulnerability in the stunEnable parameter, allowing unauthenticated remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-31177
9.8π
ToToLinkA3300R
The ToToLink A3300R firmware contains a command injection vulnerability in the stunMinAlive parameter, allowing unauthenticated remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-31178
9.8π
ToToLinkA3300R
The ToToLink A3300R firmware contains a command injection vulnerability in the stunMaxAlive parameter, allowing unauthenticated remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-31181
9.8
UnknownMultiple Products
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-35503
9.8
SenseLive X3050Multiple Products
A vulnerability inΒ SenseLive X3050βs web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these exposed parameters and gain unauthorized access to administrative functionality.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40620
9.8
SenseLiveΒ X3050Multiple Products
A vulnerability inΒ SenseLiveΒ X3050βs embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40630
9.8
SenseLive
X3050Multiple Products
A vulnerability inΒ
SenseLive
X3050βs web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact with sensitive configuration functions.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40471
9.6
UnknownMultiple Products
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).
CVSS Base9.6
β
CRSSelect profile
CVE-2026-33102
9.3
UrlMultiple Products
Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
CVSS Base9.3
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-33317
8.7
Linuxkernel running
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology
CVSS Base8.7
β
CRSSelect profile
CVE-2026-26150
8.6
MicrosoftPurview allows
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.6
β
CRSSelect profile
CVE-2026-6921
8.3
GoogleChrome on
Race in GPU in Google Chrome on Windows prior to 147
CVSS Base8.3
β
CRSSelect profile
CVE-2026-4132
7.2
WordPressis vulnerable
The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1
CVSS Base7.2
β
CRSSelect profile
CVE-2026-5364
8.1
WordPressis vulnerable
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1
CVSS Base8.1
β
CRSSelect profile
CVE-2026-32172
8
MicrosoftPower Apps
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network
CVSS Base8
β
CRSSelect profile
CVE-2026-31952
7.6
APIMultiple Products
Xibo is an open source digital signage platform with a web content management system and Windows display player software
CVSS Base7.6
β
CRSSelect profile
CVE-2026-41246
8.1
Kubernetesingress controller
Contour is a Kubernetes ingress controller using Envoy proxy
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41309
8.2
HPMultiple Products
Open Source Social Network (OSSN) is open-source social networking software developed in PHP
CVSS Base8.2
β
CRSSelect profile
CVE-2026-41323
8.1
TeamsMultiple Products
Kyverno is a policy engine designed for cloud native platform engineering teams
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35368
7.8
UnknownMultiple Products
A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option
CVSS Base7.8
β
CRSSelect profile
CVE-2026-32679
7.8
MeetMultiple Products
The installers of LiveOn Meet Client for Windows (Downloader5Installer
CVSS Base7.8
β
CRSSelect profile
CVE-2026-41068
7.7
TeamsMultiple Products
Kyverno is a policy engine designed for cloud native platform engineering teams
CVSS Base7.7
β
CRSSelect profile
CVE-2026-41485
7.7
TeamsMultiple Products
Kyverno is a policy engine designed for cloud native platform engineering teams
CVSS Base7.7
β
CRSSelect profile
CVE-2026-34413
8.6
HPwhere an
Xerte Online Toolkits versions 3
CVSS Base8.6
β
CRSSelect profile
CVE-2026-40062
7.5
InforMultiple Products
A path Traversal vulnerability exists in Ziostation2 v2
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35338
7.3
chmod utility ofMultiple Products
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism
CVSS Base7.3
β
CRSSelect profile
CVE-2026-5464
7.2
GoogleAnalytics Dashboard
The ExactMetrics β Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9
CVSS Base7.2
β
CRSSelect profile
CVE-2026-26354
8.1
DellPowerProtect Data
Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35341
7.1
uutils coreutilsMultiple Products
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files
CVSS Base7.1
β
CRSSelect profile
CVE-2026-35352
7
UnknownMultiple Products
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils
CVSS Base7
β
CRSSelect profile
CVE-2026-34414
7.1
HPwhere the
Xerte Online Toolkits versions 3
CVSS Base7.1
β
CRSSelect profile
CVE-2026-40886
7.7
KubernetesMultiple Products
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes
CVSS Base7.7
β
CRSSelect profile
CVE-2026-41316
8.1
UnknownMultiple Products
ERB is a templating system for Ruby
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41241
8.7
Archin the
pretalx is a conference planning tool
CVSS Base8.7
β
CRSSelect profile
CVE-2026-35548
8.5
Pluginsof valid
An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5
CVSS Base8.5
β
CRSSelect profile
CVE-2026-33593
7.5
UnknownMultiple Products
A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query
CVSS Base7.5
β
CRSSelect profile
CVE-2026-33608
7.4
UnknownMultiple Products
An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it
CVSS Base7.4
β
CRSSelect profile
CVE-2026-41651
8.8
ArchMultiple Products
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API
CVSS Base8.8
β
CRSSelect profile
CVE-2026-4922
8.1
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17
CVSS Base8.1
β
CRSSelect profile
CVE-2026-5262
8
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16
CVSS Base8
β
CRSSelect profile
CVE-2026-5816
8
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18
CVSS Base8
β
CRSSelect profile
CVE-2026-3621
7.5
IBMWebSphere Application
IBM WebSphere Application Server - Liberty 17
CVSS Base7.5
β
CRSSelect profile
CVE-2026-6947
7.5
D-Linkhas
DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device
CVSS Base7.5
β
CRSSelect profile
CVE-2026-5935
7.3
IBMTotal Storage
IBM Total Storage Service Console (TSSC) / TS4500 IMC 9
CVSS Base7.3
β
CRSSelect profile
CVE-2026-34488
7.3
Archpath
IP Setting Software contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries
CVSS Base7.3
β
CRSSelect profile
CVE-2026-40882
7.6
UnknownMultiple Products
OpenRemote is an open-source internet-of-things platform
CVSS Base7.6
β
CRSSelect profile
CVE-2026-41272
7.1
AWSallow attackers
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.1
β
CRSSelect profile
CVE-2026-41359
7.1
OpenClawconfiguration and
OpenClaw before 2026
CVSS Base7.1
β
CRSSelect profile
CVE-2026-6903
7.5
WebMultiple Products
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41166
7
UnknownMultiple Products
OpenRemote is an open-source internet-of-things platform
CVSS Base7
β
CRSSelect profile
CVE-2026-6859
8.8
LinuxMultiple Products
A flaw was found in InstructLab
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41208
8.8
UnknownMultiple Products
Paperclip is a Node
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41349
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41352
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-33318
8.8
UnknownMultiple Products
Actual is a local-first personal finance tool
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41468
8.7
embedsMultiple Products
Beghelli Sicuro24 SicuroWeb embeds AngularJS 1
CVSS Base8.7
β
CRSSelect profile
CVE-2026-41455
8.5
WeKanMultiple Products
WeKan beforeΒ 8
CVSS Base8.5
β
CRSSelect profile
CVE-2026-41230
8.5
sourceMultiple Products
Froxlor is open source server administration software
CVSS Base8.5
β
CRSSelect profile
CVE-2026-41461
8.5
SocialEngineMultiple Products
SocialEngine versions 7
CVSS Base8.5
β
CRSSelect profile
CVE-2018-25259
8.4π Late Disclosure
ServicesMultiple Products
Terminal Services Manager 3
CVSS Base8.4
β
CRSSelect profile
CVE-2018-25260
8.4π Late Disclosure
MusicMultiple Products
MAGIX Music Editor 3
CVSS Base8.4
β
CRSSelect profile
CVE-2018-25261
8.4π Late Disclosure
IperiusMultiple Products
Iperius Backup 5
CVSS Base8.4
β
CRSSelect profile
CVE-2018-25265
8.4π Late Disclosure
scanMultiple Products
LanSpy 2
CVSS Base8.4
β
CRSSelect profile
CVE-2018-25268
8.4π Late Disclosure
LanSpyMultiple Products
LanSpy 2
CVSS Base8.4
β
CRSSelect profile
CVE-2026-40937
8.3
UnknownMultiple Products
RustFS is a distributed object storage system built in Rust
CVSS Base8.3
β
CRSSelect profile
CVE-2026-41454
8.3
WeKanMultiple Products
WeKan beforeΒ 8
CVSS Base8.3
β
CRSSelect profile
CVE-2026-41138
8.3
AirtableAgentMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.3
β
CRSSelect profile
CVE-2026-41175
8.1
UnknownMultiple Products
Statamic is a Laravel and Git powered content management system (CMS)
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41267
8.1
accountMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41353
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-27841
8.1
SenseLiveMultiple Products
A vulnerability inΒ SenseLiveΒ X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39462
8.1
UnknownMultiple Products
A vulnerability exists inΒ SenseLive X3050βs web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40623
8.1
SenseLiveMultiple Products
A vulnerability inΒ SenseLiveΒ X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls
CVSS Base8.1
β
CRSSelect profile
CVE-2026-6846
7.8
UnknownMultiple Products
A flaw was found in binutils
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40517
7.8
priorMultiple Products
radare2 prior to 6
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33999
7.8
UnknownMultiple Products
A flaw was found in the X
CVSS Base7.8
β
CRSSelect profile
CVE-2026-34001
7.8
UnknownMultiple Products
A flaw was found in the X
CVSS Base7.8
β
CRSSelect profile
CVE-2026-34003
7.8
InforMultiple Products
A flaw was found in the X
CVSS Base7.8
β
CRSSelect profile
CVE-2026-41336
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
β
CRSSelect profile
CVE-2026-41268
7.7
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.7
β
CRSSelect profile
CVE-2026-6857
7.5
UnknownMultiple Products
A flaw was found in camel-infinispan
CVSS Base7.5
β
CRSSelect profile
CVE-2026-34063
7.5
UnknownMultiple Products
Nimiq's network-libp2p is a Nimiq network implementation based on libp2p
CVSS Base7.5
β
CRSSelect profile
CVE-2026-34065
7.5
UnknownMultiple Products
nimiq-primitives contains primitives (e
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41180
7.5
UnknownMultiple Products
PsiTransfer is an open source, self-hosted file sharing solution
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41231
7.5
sourceMultiple Products
Froxlor is open source server administration software
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41040
7.5
UnknownMultiple Products
GROWI provided by GROWI, Inc
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41564
7.5
versionsMultiple Products
CryptX versions before 0
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35064
7.5
SenseLiveMultiple Products
A vulnerability inΒ SenseLiveΒ X3050βs management ecosystem allows unauthenticated discovery of deployed units through the vendorβs management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41324
7.5
FTPMultiple Products
basic-ftp is an FTP client for Node
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70994
7.3
Signalforgery after
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system
CVSS Base7.3
β
CRSSelect profile
CVE-2026-41342
7.3
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.3
β
CRSSelect profile
CVE-2026-41355
7.3
OpenShellMultiple Products
OpenShell before 2026
CVSS Base7.3
β
CRSSelect profile
CVE-2026-33733
7.2
UnknownMultiple Products
EspoCRM is an open source customer relationship management application
CVSS Base7.2
β
CRSSelect profile
CVE-2026-6855
7.1
chatMultiple Products
A flaw was found in InstructLab
CVSS Base7.1
β
CRSSelect profile
CVE-2026-41269
7.1
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.1
β
CRSSelect profile
CVE-2026-41270
7.1
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.1
β
CRSSelect profile
CVE-2026-41271
7.1
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow