Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Monday's vulnerability disclosures are dominated by critical flaws in MLflow and OpenClaw, with a perfect CVSS 10.0 remote code execution vulnerability in MLflow (CVE-2025-15379) and five additional critical OpenClaw vulnerabilities scoring 9.8-9.9. The day's 68 disclosed CVEs include 7 critical and 61 high-priority issues, with high-severity volume dropping 38% from the prior day while critical counts held steady. Eight vulnerabilities have confirmed active exploitation, targeting Apple products, Zimbra Collaboration Suite, Craft CMS, Laravel Livewire, Langflow, and Aquasecurity Trivy. Attack patterns center on remote code execution and authentication bypass across both ML/AI platforms and widely deployed enterprise software. No patches are currently available for any of the disclosed vulnerabilities, requiring defenders to rely on compensating controls and network-level mitigations.
MLflow CVE-2025-15379 scores a perfect CVSS 10.0 â assess exposure in any ML pipeline environments immediately
7 critical CVEs disclosed (unchanged from prior day), with 5 affecting OpenClaw at CVSS 9.8-9.9
61 high-priority CVEs, down 38% from the prior day's 98
Active exploitation confirmed across Apple products, Zimbra ZCS, Craft CMS, Laravel Livewire, Langflow, and Trivy
Patch availability stands at 0% â no vendor fixes released for any of the 68 disclosed vulnerabilities
Immediate action: Organizations running MLflow, OpenClaw, Apple products, Zimbra, Craft CMS, Laravel Livewire, Langflow, or Trivy should audit exposure immediately and apply network segmentation or access restrictions as interim mitigations. With zero patches currently available, prioritize monitoring for exploitation indicators and restrict public-facing access to affected services until vendor fixes are released.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-66376
9.5
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:March 31, 2026(2 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-32432
9.5
Craft CMSCraft CMS
â° Federal Deadline:April 2, 2026(4 days remaining)
Craft CMS Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-54068
9.5
LaravelLivewire
â° Federal Deadline:April 2, 2026(4 days remaining)
Laravel Livewire Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-43510
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(4 days remaining)
Apple Multiple Products Improper Locking Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-43520
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(4 days remaining)
Apple Multiple Products Classic Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-31277
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(4 days remaining)
Apple Multiple Products Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-33017
9.5
LangflowLangflow
â° Federal Deadline:April 7, 2026(9 days remaining)
Langflow Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-33634
9.5
AquasecurityTrivy
â° Federal Deadline:April 8, 2026(10 days remaining)
Aquasecurity Trivy Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-15379
10đ
MLflowMLflow
A command injection vulnerability in MLflow's model serving container initialization allows attackers to execute arbitrary commands by supplying malicious model artifacts with unsanitized dependencies.
CVSS Base10
â
CRSSelect profile
CVE-2026-32922
9.9đ
OpenClawOpenClaw
A privilege escalation vulnerability in OpenClaw's token rotation mechanism allows users with limited pairing scopes to mint high-privilege administrative tokens and achieve remote code execution.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-15036
9.6đ
ArchMLflow
A path traversal vulnerability in MLflow's archive extraction function allows attackers to overwrite arbitrary files and escape sandboxed directories via malicious tar archives.
CVSS Base9.6
â
CRSSelect profile
CVE-2026-32987
9.8đ
OpenClawOpenClaw
OpenClaw's device pairing process is vulnerable to a replay attack where bootstrap setup codes can be reused to escalate pairing scopes to administrative levels.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32924
9.8đ
OpenClawOpenClaw
An authorization bypass in OpenClaw's Feishu integration misclassifies group chat reaction events as private conversations, allowing attackers to circumvent group security protections.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32973
9.8đ
OpenClawOpenClaw
An execution allowlist bypass in OpenClaw due to improper path normalization and glob matching allows attackers to execute unauthorized commands on the system.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32975
9.8đ
OpenClawOpenClaw
A weak authorization vulnerability in OpenClaw's Zalouser allowlist mode allows attackers to bypass channel authorization by spoofing mutable group display names.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2016-20043
8.4đđ Late Disclosure
RSSRSS Reader
A critical vulnerability has been disclosed in the NRSS RSS Reader version 0.x. This flaw could lead to significant system compromise if exploited by a remote attacker.
CVSS Base8.4
â
CRSSelect profile
CVE-2026-3124
7.5đ
WordPressis vulnerable
The Download Monitor plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) flaw. This allows unauthorized access to restricted files in versions up to 5.x.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-5017
7.3
HPof the
A security flaw has been discovered in code-projects Simple Food Order System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5018
7.3
HPof the
A weakness has been identified in code-projects Simple Food Order System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5019
7.3
HPof the
A security vulnerability has been detected in code-projects Simple Food Order System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5033
7.3
HPof the
A vulnerability was detected in code-projects Accounting System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5034
7.3
HPof the
A flaw has been found in code-projects Accounting System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5035
7.3
HPof the
A vulnerability has been found in code-projects Accounting System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-4416
7.8
GigabyteControl Center
The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2026-5021
8.8
TendaF453
A flaw has been found in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5024
8.8
D-LinkDIR
A vulnerability was found in D-Link DIR-513 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5045
8.8
TendaFH1201
A vulnerability was detected in Tenda FH1201 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5046
8.8
TendaFH1201
A flaw has been found in Tenda FH1201 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2370
8.1
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14
CVSS Base8.1
â
CRSSelect profile
CVE-2026-4415
8.1
GigabyteControl Center
Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability
CVSS Base8.1
â
CRSSelect profile
CVE-2026-32980
7.5
OpenClawwebhook request
OpenClaw before 2026
CVSS Base7.5
â
CRSSelect profile
CVE-2026-2328
7.5
InforMultiple Products
An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3945
7.5
HTTP chunkedMultiple Products
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-5004
8.8đ
WavlinkWL-WN579X3-C
A high-severity vulnerability has been identified in the Wavlink WL-WN579X3-C router, version 231124, which could allow for remote exploitation.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5036
8.8
TendaMultiple Products
A vulnerability was found in Tenda 4G06 04
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5042
8.8đ
BelkinF9K1122
A security flaw has been discovered in the Belkin F9K1122 router, potentially allowing for unauthorized access or system interference.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5043
8.8đ
BelkinF9K1122
A security weakness has been identified in the Belkin F9K1122 router that could be exploited to compromise the device's security posture.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32914
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32915
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33573
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5044
8.8đ
BelkinF9K1122
A security vulnerability has been detected in the Belkin F9K1122 router, potentially enabling attackers to gain unauthorized access or disrupt services.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-34005
8.8đ
XiongmaiSofia on DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P)
A critical vulnerability exists in the Sofia component of Xiongmai DVR/NVR devices. This flaw allows attackers to potentially compromise the surveillance system's integrity and availability.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4946
8.8
priorMultiple Products
Ghidra versions prior to 12
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32974
8.6
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.6
â
CRSSelect profile
CVE-2016-20037
8.4đ Late Disclosure
xwpeMultiple Products
xwpe 1
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20038
8.4đ Late Disclosure
yTreeMultiple Products
yTree 1
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20039
8.4đ Late Disclosure
SuperMultiple Products
Multi Emulator Super System 0
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20040
8.4đ Late Disclosure
ROMMultiple Products
TiEmu 3
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20041
8.4đ Late Disclosure
YasrMultiple Products
Yasr 0
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20042
8.4đ Late Disclosure
TRNMultiple Products
TRN 3
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20044
8.4đ Late Disclosure
PInfoMultiple Products
PInfo 0
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20045
8.4đ Late Disclosure
HNBMultiple Products
HNB Organizer 1
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20046
8.4đ Late Disclosure
zFTPMultiple Products
zFTP Client 20061220+dfsg3-4
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20047
8.4đ Late Disclosure
EKGMultiple Products
EKG Gadu 1
CVSS Base8.4
â
CRSSelect profile
CVE-2016-20048
8.4đ Late Disclosure
iSelectMultiple Products
iSelect 1
CVSS Base8.4
â
CRSSelect profile
CVE-2017-20226
8.4đ Late Disclosure
MapscrnMultiple Products
Mapscrn 2
CVSS Base8.4
â
CRSSelect profile
CVE-2017-20228
8.4đ Late Disclosure
FlatMultiple Products
Flat Assembler 1
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25222
8.4đđ Late Disclosure
SCSC v7
A late-disclosure high-severity vulnerability affects SC v7, potentially leading to unauthorized system access or arbitrary code execution.
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25224
8.4đ Late Disclosure
PMSMultiple Products
PMS 0
CVSS Base8.4
â
CRSSelect profile
CVE-2018-25225
8.4đ Late Disclosure
SIPPMultiple Products
SIPP 3
CVSS Base8.4
â
CRSSelect profile
CVE-2026-32918
8.4
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.4
â
CRSSelect profile
CVE-2026-33572
8.4
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.4
â
CRSSelect profile
CVE-2026-0562
8.3
parisneoMultiple Products
A critical security vulnerability in parisneo/lollms versions up to 2
CVSS Base8.3
â
CRSSelect profile
CVE-2026-32978
8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8
â
CRSSelect profile
CVE-2026-33575
7.5
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.5
â
CRSSelect profile
CVE-2026-0558
7.5
includingMultiple Products
A vulnerability in parisneo/lollms, up to and including version 2
CVSS Base7.5
â
CRSSelect profile
CVE-2026-0560
7.5
priorMultiple Products
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4996
7.3đ
Sinaptik AIPandasAI
Sinaptik AI PandasAI is vulnerable to a security flaw in versions up to 0.x. This vulnerability could allow for unauthorized data manipulation or information disclosure.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-4998
7.3đ
Sinaptik AIPandasAI
A security weakness has been identified in Sinaptik AI PandasAI versions up to 3.x. This flaw may allow attackers to compromise the security of the data analysis environment.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5000
7.3
LGMultiple Products
A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5001
7.3
LGMultiple Products
A flaw has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5002
7.3
LGMultiple Products
A vulnerability has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5012
7.3
InforMultiple Products
A flaw has been found in elecV2 elecV2P up to 3
CVSS Base7.3
â
CRSSelect profile
CVE-2026-5016
7.3
InforMultiple Products
A vulnerability was identified in elecV2 elecV2P up to 3