Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Tuesday's vulnerability disclosures reveal critical flaws in Delta Electronics COMMGR2 (CVE-2026-3630, CVSS 9.8) and Progress Budibase (CVE-2026-30240, CVSS 9.6), alongside web-enabled controller vulnerabilities affecting building automation systems. The day's 80 CVEs include 5 critical-severity issues, up 150% from Monday's 2, and 75 high-priority vulnerabilities, a 23% increase. Industrial control systems and low-code development platforms are the primary attack surfaces, with remote code execution and authentication bypass patterns dominating the critical findings. Fourteen vulnerabilities have confirmed active exploitation, including long-standing flaws in GitLab, Ivanti Endpoint Manager, Broadcom VMware Aria Operations, and multiple Apple products. No patches are currently available for Tuesday's newly disclosed CVEs, making network segmentation and compensating controls essential for affected systems.
Delta Electronics COMMGR2 carries the highest severity (CVSS 9.8) among newly disclosed CVEs, affecting industrial communications infrastructure
Critical CVE count jumped to 5, a 150% increase from Monday's 2 critical disclosures
75 high-priority vulnerabilities disclosed, up 23% from the prior day's 61
Remote code execution and authentication bypass flaws affect building automation controllers (wwwupdate.cgi, wwwupload.cgi) and Budibase server components
Patch availability stands at 0% for newly disclosed CVEs β compensating controls and network segmentation are immediately necessary
14 actively exploited vulnerabilities span Ivanti EPM, VMware Aria Operations, SolarWinds Web Help Desk, Roundcube Webmail, and Qualcomm chipsets
Immediate action: Prioritize network isolation for Delta Electronics COMMGR2 systems and building automation controllers running vulnerable wwwupdate.cgi and wwwupload.cgi services, as no patches are currently available. Review exposure to actively exploited flaws in Ivanti Endpoint Manager, Broadcom VMware Aria Operations, SolarWinds Web Help Desk, and Roundcube Webmail, and apply any existing vendor mitigations or access restrictions immediately.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2021-22175
9.5π Late Disclosure
GitLabGitLab
β° Federal Deadline:March 10, 2026(1 days remaining)
GitLab Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-26399
9.5π
SolarWindsWeb Help Desk
β° Federal Deadline:March 11, 2026(2 days remaining)
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-49113
9.5
RoundcubeWebmail
β° Federal Deadline:March 12, 2026(3 days remaining)
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-68461
9.5
RoundcubeWebmail
β° Federal Deadline:March 12, 2026(3 days remaining)
RoundCube Webmail Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-25108
9.5π
Soliton Systems K.KFileZen
β° Federal Deadline:March 16, 2026(7 days remaining)
FileZen is affected by a high-severity OS command injection vulnerability that allows a threat actor to execute arbitrary commands on the underlying operating system.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2021-22054
9.5π Late Disclosure
OmnissaWorkspace One UEM
β° Federal Deadline:March 22, 2026(13 days remaining)
Omnissa Workspace ONE Server-Side Request Forgery - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-1603
9.5
Ivanti Endpoint Manager (EPM)
β° Federal Deadline:March 22, 2026(13 days remaining)
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-22719
9.5π
BroadcomVMware Aria Operations
β° Federal Deadline:March 23, 2026(14 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-21385
9.5π
QualcommMultiple Chipsets
β° Federal Deadline:March 23, 2026(14 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2017-7921
9.5π Late Disclosure
HikvisionMultiple Products
β° Federal Deadline:March 25, 2026(16 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2021-22681
9.5π Late Disclosure
RockwellMultiple Products
β° Federal Deadline:March 25, 2026(16 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-43000
9.5π Late Disclosure
AppleMultiple Products
β° Federal Deadline:March 25, 2026(16 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2021-30952
9.5π Late Disclosure
AppleMultiple Products
β° Federal Deadline:March 25, 2026(16 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-41974
9.5π Late Disclosure
AppleiOS and iPadOS
β° Federal Deadline:March 25, 2026(16 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-30240
9.6π
ProgressBudibase (PWA Component)
A path traversal vulnerability in Budibase's PWA ZIP processing allows authenticated builders to exfiltrate sensitive server files, including environment variables and encryption keys.
CVSS Base9.6
β
CRSSelect profile
CVE-2026-3630
9.8π
DeltaElectronics COMMGR2
Delta Electronics COMMGR2 is affected by a stack-based buffer overflow vulnerability that could lead to arbitrary code execution or system crashes.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-41764
9.1π
Unknown (Web-Enabled Controller)wwwupdate.cgi Service
An authorization bypass in the wwwupdate.cgi endpoint allows unauthenticated remote attackers to upload and execute arbitrary updates, potentially leading to full system takeover.
CVSS Base9.1
β
CRSSelect profile
CVE-2025-41765
9.1π
Unknown (Building Automation/BACnet)wwwupload.cgi Service
Insufficient authorization in the wwwupload.cgi endpoint allows unauthenticated attackers to upload arbitrary data, including system backups, HTTPS certificates, and BACnet/SC keys.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-31816
9.1π
BudibaseBudibase Server
A regex bypass in Budibase's middleware allows unauthenticated attackers to skip all authentication and authorization checks by appending a webhook path pattern to any API request URL.
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-3734
7.3
HPof the
A flaw has been found in SourceCodester Client Database Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3762
7.3
HPof the
A vulnerability has been found in SourceCodester Client Database Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3764
7.3π
HPClient Database Management System
A vulnerability in SourceCodester Client Database Management System version 1 could allow for unauthorized database access or manipulation.
CVSS Base7.3
β
CRSSelect profile
CVE-2025-69219
8.8π
ApacheAirflow
A vulnerability in Apache Airflow allows a user with database access to execute arbitrary code on the Triggerer component by crafting a malicious database entry.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3288
8.8
Nginxwhere the
A security issue was discovered in ingress-nginx where the `nginx
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3818
7.3
CMSMultiple Products
A flaw has been found in Tiandy Easy7 CMS Windows 7
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3723
7.3π
HPSimple Flight Ticket Booking System
Another security flaw has been discovered in version 1 of the code-projects Simple Flight Ticket Booking System, affecting its overall security.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3730
7.3π
HPFree Hotel Reservation System
A security flaw has been discovered in itsourcecode Free Hotel Reservation System 1 that could allow an attacker to compromise the application's integrity and confidentiality.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3744
7.3π
HPStudent Web Portal
A high-severity vulnerability in code-projects Student Web Portal 1 could allow an attacker to gain unauthorized access to sensitive academic and personal data.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3746
7.3π
HPSimple Responsive Tourism Website
A security vulnerability in SourceCodester Simple Responsive Tourism Website 1 could enable attackers to compromise the website and access backend data.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3747
7.3π
HPUniversity Management System
itsourcecode University Management System 1 is vulnerable to a high-severity flaw that could lead to unauthorized administrative access and data manipulation.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3758
7.3π
HPOnline Art Gallery Shop
A weakness has been identified in projectworlds Online Art Gallery Shop 1 that could allow attackers to compromise the online storefront and its data.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3759
7.3
HPMultiple Products
A security vulnerability has been detected in projectworlds Online Art Gallery Shop 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3760
7.3
HPMultiple Products
A vulnerability was detected in itsourcecode University Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3765
7.3
HPMultiple Products
A vulnerability was identified in itsourcecode University Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3823
8.8π
Atop TechnologiesEHG2408 series switch
The Atop Technologies EHG2408 series switch contains a stack-based buffer overflow allowing unauthenticated remote attackers to execute arbitrary code.
CVSS Base8.8
β
CRSSelect profile
CVE-2025-41766
8.8π
Unknown (Web-Enabled Controller)wwwubr Service
A stack-based buffer overflow in the ubr-network method of the wwwubr service allows low-privileged remote attackers to achieve full device compromise via a crafted POST request.
CVSS Base8.8
β
CRSSelect profile
CVE-2025-14558
7.2
Archlist options
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified
CVSS Base7.2
β
CRSSelect profile
CVE-2025-70238
7.5
D-LinkDIR
Stack buffer overflow vulnerability in D-Link DIR-513 v1
CVSS Base7.5
β
CRSSelect profile
CVE-2026-3726
8.8
TendaF453
A vulnerability has been found in Tenda F453 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3727
8.8
TendaF453
A vulnerability was found in Tenda F453 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3728
8.8
TendaF453
A vulnerability was determined in Tenda F453 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3729
8.8
TendaF453
A vulnerability was identified in Tenda F453 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3732
8.8
TendaF453
A security vulnerability has been detected in Tenda F453 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3768
8.8
TendaF453
A security vulnerability has been detected in Tenda F453 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3769
8.8
TendaF453
A vulnerability was detected in Tenda F453 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3799
8.8
Tendai3
A flaw has been found in Tenda i3 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3801
8.8
Tendai3
A vulnerability was found in Tenda i3 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3802
8.8
Tendai3
A vulnerability was determined in Tenda i3 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3803
8.8
Tendai3
A vulnerability was identified in Tenda i3 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3804
8.8
Tendai3
A security flaw has been discovered in Tenda i3 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3807
8.8
TendaFH1202
A security vulnerability has been detected in Tenda FH1202 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3808
8.8
TendaFH1202
A vulnerability was detected in Tenda FH1202 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3809
8.8
TendaFH1202
A flaw has been found in Tenda FH1202 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3810
8.8
TendaFH1202
A vulnerability has been found in Tenda FH1202 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3811
8.8
TendaFH1202
A vulnerability was found in Tenda FH1202 1
CVSS Base8.8
β
CRSSelect profile
CVE-2025-41757
8.8
ArchMultiple Products
A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevated privileges and does not validate the contents of the backup archive to create or overwrite arbitrary files anywhere on the system
CVSS Base8.8
β
CRSSelect profile
CVE-2025-41758
8.8
wwuploadMultiple Products
A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload
CVSS Base8.8
β
CRSSelect profile
CVE-2026-25866
7.8
priorpath element
MobaXterm versions prior to 26
CVSS Base7.8
β
CRSSelect profile
CVE-2025-41756
8.1π
Unknown (Web-Enabled Controller)wwwubr Service
A vulnerability in the ubr-editfile method of the wwwubr service allows low-privileged remote attackers to perform unauthorized file manipulations.
CVSS Base8.1
β
CRSSelect profile
CVE-2026-3631
7.5
DeltaElectronics COMMGR2
Delta Electronics COMMGR2 has
Buffer Over-read DoS vulnerability
CVSS Base7.5
β
CRSSelect profile
CVE-2025-41772
7.5π
Unknown (Web-Enabled Controller)wwwupdate Service
The wwwupdate service exposes valid session tokens in plaintext within URL parameters, allowing unauthenticated remote attackers to hijack active user sessions.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-3787
7
Archpath
A weakness has been identified in UltraVNC 1
CVSS Base7
β
CRSSelect profile
CVE-2026-29023
7.3
KeygraphMultiple Products
Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key
CVSS Base7.3
β
CRSSelect profile
CVE-2025-41767
7.2
wwwupdateMultiple Products
A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in the wwwupdate
CVSS Base7.2
β
CRSSelect profile
CVE-2026-25737
8.9π
BudibaseBudibase Platform
A high-severity vulnerability exists in the Budibase low-code platform, potentially allowing unauthorized access or manipulation of internal tools and workflows.
CVSS Base8.9
β
CRSSelect profile
CVE-2026-3814
8.8
UTTMultiple Products
A security flaw has been discovered in UTT HiPER 810G up to 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3815
8.8
UTTMultiple Products
A weakness has been identified in UTT HiPER 810G up to 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0846
8.6
theMultiple Products
A vulnerability in the `filestring()` function of the `nltk
CVSS Base8.6
β
CRSSelect profile
CVE-2026-28693
8.1π
ImageMagick Studio LLCImageMagick
A high-severity vulnerability in ImageMagick's image processing logic could allow attackers to compromise systems that utilize the software for digital image manipulation.
CVSS Base8.1
β
CRSSelect profile
CVE-2026-30896
7.8
QseeMultiple Products
The installer for Qsee Client versions 1
CVSS Base7.8
β
CRSSelect profile
CVE-2025-41761
7.8π
MicrosoftWindows (UBR Service)
A local attacker with low privileges can exploit the UBR service account to potentially escalate privileges or access sensitive system data within the Windows environment.
CVSS Base7.8
β
CRSSelect profile
CVE-2026-30929
7.7π
ImageMagick Studio LLCImageMagick
ImageMagick is susceptible to a vulnerability during image manipulation that could allow for unauthorized code execution or system instability when processing crafted files.
CVSS Base7.7
β
CRSSelect profile
CVE-2025-61611
7.5π
Modem FirmwareModem
An improper input validation flaw in modem firmware allows for potential exploitation through malformed data inputs, leading to system instability or unauthorized access.
CVSS Base7.5
β
CRSSelect profile
CVE-2025-61612
7.5π
NR Modem FirmwareNR Modem
The NR (5G) modem firmware contains an improper input validation flaw that can be triggered to cause a system crash and denial of service via malformed inputs.
CVSS Base7.5
β
CRSSelect profile
CVE-2025-61613
7.5π
NR Modem FirmwareNR Modem
An improper input validation vulnerability in the NR modem firmware can be exploited to induce a system crash and disrupt 5G services through crafted data.
CVSS Base7.5
β
CRSSelect profile
CVE-2025-61614
7.5
UnknownMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
β
CRSSelect profile
CVE-2025-61615
7.5
UnknownMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
β
CRSSelect profile
CVE-2025-61616
7.5
UnknownMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
β
CRSSelect profile
CVE-2025-69278
7.5
UnknownMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
β
CRSSelect profile
CVE-2025-69279
7.5
UnknownMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
β
CRSSelect profile
CVE-2025-14769
7.5
processingMultiple Products
In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine
CVSS Base7.5
β
CRSSelect profile
CVE-2026-3038
7.5
InforMultiple Products
The rtsock_msg_buffer() function serializes routing information into a buffer
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70047
7.5
UnknownMultiple Products
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in Nexusoft NexusInterface v3
CVSS Base7.5
β
CRSSelect profile
CVE-2026-3588
7.5
IKEA DirigeraMultiple Products
A server-side request forgery (SSRF) vulnerability in IKEA Dirigera v2
CVSS Base7.5
β
CRSSelect profile
CVE-2025-62166
7.5
UnknownMultiple Products
FreshRSS is a free, self-hostable RSS aggregator
CVSS Base7.5
β
CRSSelect profile
CVE-2026-28691
7.5
UnknownMultiple Products
ImageMagick is free and open-source software used for editing and manipulating digital images
CVSS Base7.5
β
CRSSelect profile
CVE-2026-3735
7.3
BookingMultiple Products
A vulnerability has been found in code-projects Simple Flight Ticket Booking System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3736
7.3
BookingMultiple Products
A vulnerability was found in code-projects Simple Flight Ticket Booking System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3740
7.3
ManagementMultiple Products
A weakness has been identified in itsourcecode University Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3757
7.3
GalleryMultiple Products
A security flaw has been discovered in projectworlds Online Art Gallery Shop 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-3794
7.3
doramartMultiple Products
A vulnerability was identified in doramart DoraCMS 3
CVSS Base7.3
β
CRSSelect profile
CVE-2026-25960
7.1
servingMultiple Products
vLLM is an inference and serving engine for large language models (LLMs)
CVSS Base7.1
β
CRSSelect profile
CVE-2026-28494
7.1
UnknownMultiple Products
ImageMagick is free and open-source software used for editing and manipulating digital images