Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Friday's vulnerability disclosures include a maximum-severity flaw in ORY Oathkeeper (CVE-2026-33494, CVSS 10.0) alongside critical issues in Incus (CVE-2026-33945, CVE-2026-33897, both CVSS 9.9) and OneUptime (CVE-2026-33396, CVSS 9.9). The day saw 11 critical CVEs, down 8% from Thursday, while 100 high-priority vulnerabilities held steady. HP products account for multiple critical entries (CVE-2026-33942, CVE-2026-4809), and WordPress (CVE-2026-4484) and SiYuan (CVE-2026-33669, CVE-2026-33670) each carry CVSS 9.8 scores. Nine vulnerabilities have confirmed active exploitation, notably affecting Apple products, Zimbra Collaboration Suite, Craft CMS, and Laravel Livewire. No patches are currently available for disclosed vulnerabilities, requiring organizations to prioritize compensating controls and monitoring.
11 critical CVEs disclosed, down 8% from prior day; Incus and OneUptime each have CVSS 9.9 flaws
100 high-priority CVEs unchanged from Thursday, maintaining elevated disclosure volume
Remote code execution and authorization bypass patterns dominate, affecting HP, WordPress, and SiYuan
0% patch availability across disclosed vulnerabilities â compensating controls essential
9 actively exploited vulnerabilities target Apple products, Zimbra, Craft CMS, Langflow, and Trivy
Immediate action: Prioritize reviewing exposure to ORY Oathkeeper, Incus, OneUptime, and SiYuan deployments, and apply network-level restrictions where patches are unavailable. For the nine actively exploited vulnerabilities, verify compensating controls are in place for Apple products, Zimbra, Craft CMS, Laravel Livewire, Langflow, and Trivy, and monitor vendor channels for incoming patches.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-47813
9.5
Wing FTP ServerWing FTP Server
â° Federal Deadline:March 29, 2026(3 days remaining)
Wing FTP Server Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-66376
9.5
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:March 31, 2026(5 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-32432
9.5
Craft CMSCraft CMS
â° Federal Deadline:April 2, 2026(7 days remaining)
Craft CMS Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-54068
9.5
LaravelLivewire
â° Federal Deadline:April 2, 2026(7 days remaining)
Laravel Livewire Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-43510
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(7 days remaining)
Apple Multiple Products Improper Locking Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-43520
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(7 days remaining)
Apple Multiple Products Classic Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-31277
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(7 days remaining)
Apple Multiple Products Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-33017
9.5
LangflowLangflow
â° Federal Deadline:April 7, 2026(12 days remaining)
Langflow Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-33634
9.5
AquasecurityTrivy
â° Federal Deadline:April 8, 2026(13 days remaining)
Aquasecurity Trivy Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-33942
9.8đ
HPlibrary that
Saloon versions prior to 4.0.0 are vulnerable to PHP Object Injection via insecure use of unserialize() in the AccessTokenAuthenticator class, potentially leading to remote code execution.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4809
9.8đ
HPcode while
Plank laravel-mediable through version 6.4.0 allows for arbitrary file upload and remote code execution by trusting client-supplied MIME types during the upload process.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4484
9.8đ
WordPressis vulnerable
The Masteriyo LMS plugin for WordPress allows authenticated Student-level users to escalate their privileges to Administrator via the InstructorsController.
CVSS Base9.8
â
CRSSelect profile
CVE-2014-125112
9.8đđ Late Disclosure
PlackMiddleware::Session::Cookie
Plack::Middleware::Session::Cookie through version 0.21 for Perl is vulnerable to remote code execution during cookie deserialization when no secret key is configured to sign session data.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33494
10đ
ORYOathkeeper
ORY Oathkeeper versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal where raw paths are matched against permissive rules before normalization.
CVSS Base10
â
CRSSelect profile
CVE-2026-33396
9.9đ
OneUptimeOneUptime
OneUptime versions prior to 10.0.35 allow low-privileged users to achieve remote code execution on the Probe container by escaping the Playwright sandbox via unblocked internal properties.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-33669
9.8đ
SiYuanSiYuan
SiYuan versions prior to 3.6.2 are vulnerable to unauthorized data access where document IDs and content can be retrieved through the /api/file/readDir and /api/block/getChildBlocks interfaces.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33670
9.8đ
SiYuanSiYuan
SiYuan versions prior to 3.6.2 allow unauthenticated directory traversal and filename retrieval via the /api/file/readDir interface, exposing the structure of user notebooks.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-33945
9.9đ
IncusIncus
Incus versions prior to 6.23.0 are vulnerable to an arbitrary file write flaw where path traversal in systemd credential keys allows root-level writes to the host filesystem.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-33897
9.9đ
IncusIncus
Incus versions prior to 6.23.0 contain a critical sandbox escape in the pongo2 template implementation that allows arbitrary file reads and writes as root on the host server.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-22738
9.8đ
SpringSpring AI
Spring AI versions prior to 1.0.5 and 1.1.4 are vulnerable to SpEL injection in SimpleVectorStore when user-supplied input is used as a filter expression key, leading to remote code execution.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-20012
8.6đ
CiscoIOS Software
A vulnerability in Cisco's IKEv2 implementation allows unauthenticated remote attackers to cause a memory leak. This leak eventually leads to a Denial of Service (DoS) condition on the affected network device.
CVSS Base8.6
â
CRSSelect profile
CVE-2026-20084
8.6đ
CiscoIOS XE
A flaw in the DHCP snooping feature of Cisco IOS XE allows unauthenticated attackers to cause BOOTP packets to be forwarded between VLANs. This leads to a Denial of Service (DoS) condition.
CVSS Base8.6
â
CRSSelect profile
CVE-2026-20086
8.6đ
CiscoIOS XE
A vulnerability in CAPWAP packet processing in Cisco IOS XE Wireless Controller Software allows unauthenticated remote attackers to cause a Denial of Service.
CVSS Base8.6
â
CRSSelect profile
CVE-2026-22493
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gaspard gaspard allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22494
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22495
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22496
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22498
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22499
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22502
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22503
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22504
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22506
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Amoli amoli allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22508
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Dentalux dentalux allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22509
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gioia gioia allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22511
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes NeoBeat neobeat allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2024-58341
8.2đ Late Disclosure
OpenCartCore
OpenCart Core 4
CVSS Base8.2
â
CRSSelect profile
CVE-2026-24978
8.8
NooTheme Jobica CoreMultiple Products
Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24981
8.8
NooTheme VisionaryMultiple Products
Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32516
8.5
kamleshyadavMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-55262
8.3
InforMultiple Products
HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database
CVSS Base8.3
â
CRSSelect profile
CVE-2026-4758
8.8
WordPressis vulnerable
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2931
8.8
WordPressis vulnerable
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4840
8.8
NetcoreMultiple Products
A security flaw has been discovered in Netcore Power 15AX up to 3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33631
8.7đ
ClearanceKitClearanceKit for macOS
ClearanceKit for macOS contains a vulnerability in its file-system access event interception, potentially allowing bypass of per-process access policies.
CVSS Base8.7
â
CRSSelect profile
CVE-2026-33413
8.8
Kubernetesdoes not
etcd is a distributed key-value store for the data of a distributed system
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33687
8.8
HPfiles unless
Sharp is a content management framework built for Laravel as a package
CVSS Base8.8
â
CRSSelect profile
CVE-2018-25195
8.2đ Late Disclosure
HPwith action
Wecodex Hotel CMS 1
CVSS Base8.2
â
CRSSelect profile
CVE-2018-25203
8.2đ Late Disclosure
HPwith the
Online Store System CMS 1
CVSS Base8.2
â
CRSSelect profile
CVE-2018-25209
8.2đ Late Disclosure
HPwith malicious
OpenBiz Cubi Lite 3
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4815
8.8
HPMultiple Products
A SQL Injection vulnerability has been found in Support Board v3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33686
8.8
HPMultiple Products
Sharp is a content management framework built for Laravel as a package
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33661
8.6
HPMultiple Products
Pay is an open-source payment SDK extension package for various Chinese payment services
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33747
8.4đ
DockerBuildKit
Docker BuildKit contains a vulnerability that could affect the efficiency and repeatability of build artifacts, potentially leading to unauthorized access or build-time exploits.
CVSS Base8.4
â
CRSSelect profile
CVE-2025-15101
8.8
ASUSrouter models
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models
CVSS Base8.8
â
CRSSelect profile
CVE-2026-27650
8.8
BuffaloWi
OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32669
8.8
BuffaloWi
Code injection vulnerability exists in BUFFALO Wi-Fi router products
CVSS Base8.8
â
CRSSelect profile
CVE-2026-27045
8.8
sbthemes WooCommerceMultiple Products
Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25007
8.5
Element InvaderMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2024-51348
8.8đ Late Disclosure
withMultiple Products
A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam with firmware 33
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25400
8.8
thememount ApiconaMultiple Products
Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4902
8.8
TendaAC5
A vulnerability was detected in Tenda AC5 15
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4903
8.8
TendaAC5
A flaw has been found in Tenda AC5 15
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4904
8.8
TendaAC5
A vulnerability has been found in Tenda AC5 15
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4905
8.8
TendaAC5
A vulnerability was found in Tenda AC5 15
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4906
8.8
TendaAC5
A vulnerability was determined in Tenda AC5 15
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32522
8.6
vanquish WooCommerceMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal
CVSS Base8.6
â
CRSSelect profile
CVE-2026-30976
8.6
Linuxare unaffected
Sonarr is a PVR for Usenet and BitTorrent users
CVSS Base8.6
â
CRSSelect profile
CVE-2026-31921
8.2
Devteam HaywoodTechMultiple Products
Missing Authorization vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.2
â
CRSSelect profile
CVE-2018-25205
8.2đ Late Disclosure
Archfunctionality
ASP
CVSS Base8.2
â
CRSSelect profile
CVE-2026-22742
8.6
BedrockProxyChatModelMultiple Products
Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs
CVSS Base8.6
â
CRSSelect profile
CVE-2026-25001
8.5
Saad Iqbal PostMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in Saad Iqbal Post Snippets post-snippets allows Remote Code Inclusion
CVSS Base8.5
â
CRSSelect profile
CVE-2026-24359
8.8
DokanMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24974
8.8
NooTheme CitiLightsMultiple Products
Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24976
8.8
NooTheme OrganiciMultiple Products
Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25358
8.8
rascals Meloo melooMultiple Products
Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25359
8.8
rascals PendulumMultiple Products
Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25360
8.8
rascals Vex vexMultiple Products
Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25406
8.8
Themeum Tutor LMS ProMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25414
8.8
iqonicdesign WPBookitMultiple Products
Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32484
8.8
BoldGrid weFormsMultiple Products
Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32513
8.8
Miguel Useche JSMultiple Products
Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows Object Injection
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Organici Library noo-organici-library allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2026-27039
8.5
AAMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone woozone allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2026-32534
8.5
JoomSky JS Help DeskMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2026-22505
8.1
AncoraThemes MorningMultiple Products
Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22510
8.1
AncoraThemes MelodyMultiple Products
Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection
CVSS Base8.1
â
CRSSelect profile
CVE-2026-23514
8.8
UnknownMultiple Products
Kiteworks is a private data network (PDN)
CVSS Base8.8
â
CRSSelect profile
CVE-2026-27040
8.8
AAMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AA-Team WZone woozone allows Path Traversal
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33917
8.8
ajaxMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4747
8.8đ
SAPSAP Software (RPCSEC_GSS implementation)
A vulnerability exists in the RPCSEC_GSS data packet validation routine where signature checks are improperly handled. This flaw could allow attackers to bypass security mechanisms.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4861
8.8
UnknownMultiple Products
A weakness has been identified in Wavlink WL-NU516U1 260227
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4862
8.8
UTTMultiple Products
A security vulnerability has been detected in UTT HiPER 1250GW up to 3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24068
8.8
UnknownMultiple Products
The VSL privileged helper does utilize NSXPC for IPC
CVSS Base8.8
â
CRSSelect profile
CVE-2026-22790
8.8
UnknownMultiple Products
EVerest is an EV charging software stack
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33506
8.8
OryMultiple Products
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-27893
8.8
servingMultiple Products
vLLM is an inference and serving engine for large language models (LLMs)
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33898
8.8
machineMultiple Products
Incus is a system container and virtual machine manager
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33348
8.7
functionMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.7
â
CRSSelect profile
CVE-2026-31913
8.6
WhiteboxMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33216
8.6
PerformanceMultiple Products
NATS-Server is a High-Performance server for NATS
CVSS Base8.6
â
CRSSelect profile
CVE-2025-69347
8.5
Convers LabMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Convers Lab WPSubscription subscription allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.5
â
CRSSelect profile
CVE-2026-34352
8.5
TigerVNCMultiple Products
In TigerVNC before 1
CVSS Base8.5
â
CRSSelect profile
CVE-2018-25212
8.4đ Late Disclosure
wmaMultiple Products
Boxoft wav-wma Converter 1
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25213
8.4đ Late Disclosure
NsauditorMultiple Products
Nsauditor 3
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25217
8.4đ Late Disclosure
PDFMultiple Products
PDF Explorer 1
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25218
8.4đ Late Disclosure
PasswordMultiple Products
PassFab RAR Password Recovery 9
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25219
8.4đ Late Disclosure
PasswordMultiple Products
PassFab Excel Password Recovery 8
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25650
8.4đđ Late Disclosure
AMDCamDo 3
River Past CamDo 3 contains a high-severity vulnerability that could lead to unauthorized system access or execution. This late-disclosure entry requires immediate review for legacy systems.