Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Monday's vulnerability disclosures reveal significant exposure across Microsoft Windows and Office products, with multiple actively exploited flaws targeting core enterprise infrastructure. The brief includes 1 critical vulnerability (down 50% from prior day) and 63 high-priority CVEs (down 37%), reflecting a quieter but still consequential disclosure cycle. CVE-2026-24494 (CVSS 9.8) affects the Online Ordering System, while five Microsoft Windows CVEs and one Office CVE are confirmed under active exploitation. Notably, legacy vulnerabilities in GitLab, Zimbra, Roundcube Webmail, and Sangoma FreePBX continue to see exploitation activity, underscoring persistent risk from unpatched older systems. Patch availability stands at 0%, making compensating controls and network-level mitigations essential until vendor fixes are released.
Microsoft Windows and Office account for 6 actively exploited vulnerabilities across remote code execution and privilege escalation vectors
1 critical CVE disclosed (CVSS 9.8), down 50% from the prior day's 2 critical vulnerabilities
63 high-priority CVEs (CVSS 7.0-8.9), a 37% decrease from the prior day's 100 high-priority disclosures
Active exploitation spans Roundcube Webmail, GitLab, Sangoma FreePBX, Google Chromium, and Apple OS â covering email, DevOps, VoIP, and browser attack surfaces
Patch availability is at 0% â no vendor fixes are currently available for disclosed vulnerabilities
21 CVEs have confirmed active exploitation, consistent with the prior day's count
Immediate action: Prioritize reviewing exposure to Microsoft Windows, Office, Roundcube Webmail, and GitLab environments, as these face confirmed active exploitation with no patches currently available. Implement network segmentation, access restrictions, and enhanced monitoring for affected systems as compensating controls until vendor patches are released.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2021-39935
9.5đ Late Disclosure
GitLabCommunity and Enterprise Editions
â° Federal Deadline:February 23, 2026(1 days remaining)
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-64328
9.5
SangomaFreePBX
â° Federal Deadline:February 23, 2026(1 days remaining)
Sangoma FreePBX OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2019-19006
9.5đ Late Disclosure
SangomaFreePBX
â° Federal Deadline:February 23, 2026(1 days remaining)
Sangoma FreePBX Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-11953
9.5đ
React Native CommunityCLI
â° Federal Deadline:February 25, 2026(3 days remaining)
React Native Community CLI OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-24423
9.5
SmarterToolsSmarterMail
â° Federal Deadline:February 25, 2026(3 days remaining)
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21513
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(8 days remaining)
A protection mechanism failure in the MSHTML Framework allows an unauthenticated attacker to bypass security features over a network, potentially leading to unauthorized system access.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21525
9.5
MicrosoftWindows
â° Federal Deadline:March 2, 2026(8 days remaining)
Microsoft Windows NULL Pointer Dereference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21510
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(8 days remaining)
A protection mechanism failure in the Windows Shell allows an unauthenticated attacker to bypass security features over a network connection.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21533
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(8 days remaining)
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate their privileges locally on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21519
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(8 days remaining)
A type confusion vulnerability in the Desktop Window Manager (DWM) allows an authorized local attacker to elevate their privileges to a higher level.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21514
9.5đ
MicrosoftOffice
â° Federal Deadline:March 2, 2026(8 days remaining)
A security feature bypass vulnerability in Microsoft Office Word exists due to reliance on untrusted inputs, allowing an unauthorized local attacker to circumvent security protections.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-20700
9.5đ
AppleApple OS
â° Federal Deadline:March 4, 2026(10 days remaining)
A memory corruption vulnerability in Apple software was addressed through improved state management to prevent potential exploitation.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-43468
9.5đ Late Disclosure
MicrosoftConfiguration Manager
â° Federal Deadline:March 4, 2026(10 days remaining)
Microsoft Configuration Manager SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-15556
9.5
Notepad++Notepad++
â° Federal Deadline:March 4, 2026(10 days remaining)
Notepad++ Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2020-7796
9.5đ Late Disclosure
SynacorZimbra Collaboration Suite
â° Federal Deadline:March 9, 2026(15 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-7694
9.5đ Late Disclosure
TeamT5ThreatSonar Anti-Ransomware
â° Federal Deadline:March 9, 2026(15 days remaining)
TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2008-0015
9.5đ Late Disclosure
MicrosoftWindows
â° Federal Deadline:March 9, 2026(15 days remaining)
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-2441
9.5đ
GoogleChromium
â° Federal Deadline:March 9, 2026(15 days remaining)
Google Chrome is vulnerable to a "Use After Free" condition in its CSS engine, which could allow a remote attacker to execute arbitrary code via a crafted webpage.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-22175
9.5đ Late Disclosure
GitLabGitLab
â° Federal Deadline:March 10, 2026(16 days remaining)
GitLab Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-49113
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(18 days remaining)
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-68461
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(18 days remaining)
RoundCube Webmail Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-24494
9.8đ
theOnline Ordering System
An unauthenticated SQL injection vulnerability exists in the Order Up Online Ordering System 1.0 via the store_id parameter in the /api/integrations/getintegrations endpoint.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2019-25391
8.2đ Late Disclosure
HPendpoint with
Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25440
8.2đ Late Disclosure
HPwith malicious
WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25443
8.2đ Late Disclosure
HPto execute
Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25446
8.2đ Late Disclosure
HPwith malicious
DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25461
8.2đ Late Disclosure
Archendpoint with
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25455
8.2đđ Late Disclosure
InforE-Ticaret
Web Ofisi E-Ticaret v3 contains an unauthenticated SQL injection vulnerability in the 'a' parameter, allowing for unauthorized database manipulation.
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25456
8.2đđ Late Disclosure
InforEmlak
Web Ofisi Emlak v2 is vulnerable to an unauthenticated SQL injection via the 'ara' GET parameter, enabling attackers to manipulate database queries.
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25457
8.2đđ Late Disclosure
InforFirma
Web Ofisi Firma v13 contains an unauthenticated SQL injection vulnerability via the 'oz' array parameter, allowing for the manipulation of backend database queries.
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25458
8.2đđ Late Disclosure
InforFirma Rehberi
Web Ofisi Firma Rehberi v1 is vulnerable to an unauthenticated SQL injection through various GET parameters, allowing attackers to manipulate database queries.
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25459
8.2đđ Late Disclosure
InforEmlak
Web Ofisi Emlak V2 contains multiple SQL injection vulnerabilities in its endpoints, allowing unauthenticated attackers to manipulate database queries via GET parameters.
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25460
8.2đđ Late Disclosure
InforPlatinum E-Ticaret
Web Ofisi Platinum E-Ticaret v5 is vulnerable to an unauthenticated SQL injection via the 'q' GET parameter, allowing for unauthorized database manipulation.
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25462
8.2đđ Late Disclosure
InforRent a Car
Web Ofisi Rent a Car v3 contains an unauthenticated SQL injection vulnerability in the 'klima' parameter, allowing attackers to execute arbitrary SQL commands.
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25433
8.2đ Late Disclosure
HPendpoint with
XOOPS CMS 2
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25452
8.2đ Late Disclosure
HPendpoint that
Dolibarr ERP/CRM 10
CVSS Base8.2
â
CRSSelect profile
CVE-2026-2896
7.3
HPof the
A weakness has been identified in funadmin up to 7
CVSS Base7.3
â
CRSSelect profile
CVE-2026-2944
7.3
HPof the
A security flaw has been discovered in Tosei Online Store Management System ãããåēčįŽĄįãˇãšãã 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-2952
7.3
HPof the
A flaw has been found in Vaelsys 4
CVSS Base7.3
â
CRSSelect profile
CVE-2019-25450
7.1đ Late Disclosure
HPendpoints to
Dolibarr ERP/CRM 10
CVSS Base7.1
â
CRSSelect profile
CVE-2026-2867
7.3đ
HPVehicle Management System
A high-severity vulnerability has been identified in itsourcecode Vehicle Management System 1, though specific technical details of the flaw are currently limited.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-2912
7.3đ
HPOnline Reviewer System
A security vulnerability has been identified in code-projects Online Reviewer System 1, which could allow an attacker to compromise the integrity and confidentiality of the application data.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-2938
7.3đ
HPStudent Result Management System
A vulnerability has been identified in SourceCodester Student Result Management System 1, potentially allowing for unauthorized data access or system manipulation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-1367
8.3
Plusreport option
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option
CVSS Base8.3
â
CRSSelect profile
CVE-2019-25439
8.2đđ Late Disclosure
InforCMS
NoviSmart CMS is vulnerable to a high-severity SQL injection via the Referer HTTP header, allowing remote attackers to execute arbitrary SQL queries against the database.
CVSS Base8.2
â
CRSSelect profile
CVE-2026-2870
8.8
TendaA21
A security flaw has been discovered in Tenda A21 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2871
8.8
TendaA21
A weakness has been identified in Tenda A21 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2872
8.8
TendaA21
A security vulnerability has been detected in Tenda A21 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2873
8.8
TendaA21
A vulnerability was detected in Tenda A21 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2874
8.8
TendaA21
A flaw has been found in Tenda A21 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2876
8.8
TendaA18
A vulnerability was determined in Tenda A18 15
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2877
8.8
TendaA18
A vulnerability has been found in Tenda A18 15
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2881
8.8
D-LinkDWR
A vulnerability has been found in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2882
8.8
D-LinkDWR
A vulnerability was found in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2883
8.8
D-LinkDWR
A vulnerability was determined in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2884
8.8
D-LinkDWR
A vulnerability was identified in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2885
8.8
D-LinkDWR
A security flaw has been discovered in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2886
8.8
TendaA21
A weakness has been identified in Tenda A21 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2905
8.8
TendaHG9
A vulnerability was identified in Tenda HG9 300001138
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2906
8.8
TendaHG9
A security flaw has been discovered in Tenda HG9 300001138
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2907
8.8
TendaHG9
A weakness has been identified in Tenda HG9 300001138
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2908
8.8
TendaHG9
A security vulnerability has been detected in Tenda HG9 300001138
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2909
8.8
TendaHG9
A vulnerability was detected in Tenda HG9 300001138
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2910
8.8
TendaHG9
A flaw has been found in Tenda HG9 300001138
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2911
8.8
TendaFH451 up
A vulnerability has been found in Tenda FH451 up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2925
8.8
D-LinkDWR
A vulnerability was detected in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2926
8.8
D-LinkDWR
A flaw has been found in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2927
8.8
D-LinkDWR
A vulnerability has been found in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2928
8.8
D-LinkDWR
A vulnerability was found in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2929
8.8
D-LinkDWR
A vulnerability was determined in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2958
8.8
D-LinkDWR
A security vulnerability has been detected in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2959
8.8
D-LinkDWR
A vulnerability was detected in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2960
8.8
D-LinkDWR
A flaw has been found in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2961
8.8
D-LinkDWR
A vulnerability has been found in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2962
8.8
D-LinkDWR
A vulnerability was found in D-Link DWR-M960 1
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25366
8.2đđ Late Disclosure
microASPPortal+ CMS
An unauthenticated SQL injection vulnerability in microASP Portal+ CMS allows remote attackers to execute arbitrary SQL queries via the explode_tree parameter.
CVSS Base8.2
â
CRSSelect profile
CVE-2026-2904
8.8đ
UTTHiPER 810G
A high-severity vulnerability has been identified in the UTT HiPER 810G networking device, which could lead to unauthorized access or device compromise.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2981
8.8
UTTMultiple Products
A vulnerability was found in UTT HiPER 810G up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25442
8.2đ Late Disclosure
WizMultiple Products
Web Wiz Forums 12
CVSS Base8.2
â
CRSSelect profile
CVE-2026-2998
7.8đ
eAI TechnologiesERP
A DLL Hijacking vulnerability in eAI Technologies ERP allows authenticated local attackers to execute arbitrary code by placing a malicious DLL in the application directory.
CVSS Base7.8
â
CRSSelect profile
CVE-2026-27487
7.6đ
OpenClawOpenClaw AI Assistant
The OpenClaw personal AI assistant contains a vulnerability that could allow for unauthorized access to personal data or the execution of unintended commands.
CVSS Base7.6
â
CRSSelect profile
CVE-2026-27579
7.4
InforMultiple Products
CollabPlatform is a full-stack, real-time doc collaboration platform
CVSS Base7.4
â
CRSSelect profile
CVE-2026-2940
7.3
InforMultiple Products
A vulnerability was determined in Zaher1307 tiny_web_server up to 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b
CVSS Base7.3
â
CRSSelect profile
CVE-2026-2935
7.2
UTTMultiple Products
A weakness has been identified in UTT HiPER 810G up to 1
CVSS Base7.2
â
CRSSelect profile
CVE-2026-2980
7.2
UTTMultiple Products
A vulnerability has been found in UTT HiPER 810G up to 1