Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Monday's vulnerability disclosures include critical remote code execution flaws in Wavlink routers and Delta Electronics COMMGR2 industrial software, both scoring CVSS 9.8. The brief covers 2 critical CVEs (down 60% from Sunday) and 61 high-priority CVEs (down 25%), reflecting a quieter start to the week. Fifteen vulnerabilities have confirmed active exploitation, spanning Roundcube Webmail, VMware Aria Operations, Google Chromium, GitLab, and legacy flaws in Apple, Hikvision, and Rockwell Automation products. Attack patterns include authentication bypass, remote code execution, and memory corruption across networking equipment, enterprise collaboration platforms, and industrial control systems. No patches are currently available for the disclosed CVEs, making compensating controls and network segmentation essential in the interim.
CVE-2026-3703 and CVE-2026-3630 rated CVSS 9.8 â critical RCE in Wavlink NU516U1 routers and Delta Electronics COMMGR2 industrial software
2 critical CVEs disclosed, down 60% from Sunday's 5 critical vulnerabilities
61 high-priority CVEs (CVSS 7.0â8.9), a 25% decrease from the prior day's 81
Active exploitation confirmed in Roundcube Webmail, VMware Aria Operations, Google Chromium, Qualcomm chipsets, and GitLab
0% patch availability across all disclosed CVEs â no vendor fixes released yet
15 actively exploited vulnerabilities include legacy flaws dating back to 2008 in Microsoft Windows and 2017 in Hikvision products
Immediate action: Prioritize network segmentation and access restrictions for Wavlink routers, Delta Electronics COMMGR2 systems, and any exposed Roundcube Webmail or VMware Aria Operations instances. With no patches currently available, apply compensating controls such as WAF rules, disabling unnecessary services, and monitoring for indicators of compromise associated with the 15 actively exploited CVEs.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2020-7796
9.5đ Late Disclosure
SynacorZimbra Collaboration Suite
â° Federal Deadline:March 9, 2026(1 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2024-7694
9.5đ Late Disclosure
TeamT5ThreatSonar Anti-Ransomware
â° Federal Deadline:March 9, 2026(1 days remaining)
TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2008-0015
9.5đ Late Disclosure
MicrosoftWindows
â° Federal Deadline:March 9, 2026(1 days remaining)
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-2441
9.5đ
GoogleChromium
â° Federal Deadline:March 9, 2026(1 days remaining)
Google Chrome is vulnerable to a "Use After Free" condition in its CSS engine, which could allow a remote attacker to execute arbitrary code via a crafted webpage.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-22175
9.5đ Late Disclosure
GitLabGitLab
â° Federal Deadline:March 10, 2026(2 days remaining)
GitLab Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-49113
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(4 days remaining)
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-68461
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(4 days remaining)
RoundCube Webmail Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-25108
9.5đ
Soliton Systems K.KFileZen
â° Federal Deadline:March 16, 2026(8 days remaining)
FileZen is affected by a high-severity OS command injection vulnerability that allows a threat actor to execute arbitrary commands on the underlying operating system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-22719
9.5đ
BroadcomVMware Aria Operations
â° Federal Deadline:March 23, 2026(15 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21385
9.5đ
QualcommMultiple Chipsets
â° Federal Deadline:March 23, 2026(15 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2017-7921
9.5đ Late Disclosure
HikvisionMultiple Products
â° Federal Deadline:March 25, 2026(17 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-22681
9.5đ Late Disclosure
RockwellMultiple Products
â° Federal Deadline:March 25, 2026(17 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2023-43000
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(17 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-30952
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(17 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2023-41974
9.5đ Late Disclosure
AppleiOS and iPadOS
â° Federal Deadline:March 25, 2026(17 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-3703
9.8đ
WavlinkNU516U1 Router
A remote out-of-bounds write vulnerability in the Wavlink NU516U1 router allows attackers to manipulate the ipaddr argument in /cgi-bin/login.cgi, potentially leading to full system compromise.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-3630
9.8đ
DeltaElectronics COMMGR2
Delta Electronics COMMGR2 is affected by a stack-based buffer overflow vulnerability that could lead to arbitrary code execution or system crashes.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-3734
7.3
HPof the
A flaw has been found in SourceCodester Client Database Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3762
7.3
HPof the
A vulnerability has been found in SourceCodester Client Database Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3764
7.3đ
HPClient Database Management System
A vulnerability in SourceCodester Client Database Management System version 1 could allow for unauthorized database access or manipulation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-30834
7.5đ
HTTPPinchTab HTTP Server
PinchTab, an HTTP server for AI agents, contains a vulnerability that could allow for unauthorized control over Chrome browser instances.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3708
7.3đ
HPSimple Flight Ticket Booking System
A security flaw in code-projects Simple Flight Ticket Booking System version 1 could lead to unauthorized access to booking records or user data.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3709
7.3đ
HPSimple Flight Ticket Booking System
A weakness in code-projects Simple Flight Ticket Booking System version 1 has been identified, potentially allowing for data manipulation or unauthorized access.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3723
7.3đ
HPSimple Flight Ticket Booking System
Another security flaw has been discovered in version 1 of the code-projects Simple Flight Ticket Booking System, affecting its overall security.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3730
7.3đ
HPFree Hotel Reservation System
A security flaw has been discovered in itsourcecode Free Hotel Reservation System 1 that could allow an attacker to compromise the application's integrity and confidentiality.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3744
7.3đ
HPStudent Web Portal
A high-severity vulnerability in code-projects Student Web Portal 1 could allow an attacker to gain unauthorized access to sensitive academic and personal data.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3746
7.3đ
HPSimple Responsive Tourism Website
A security vulnerability in SourceCodester Simple Responsive Tourism Website 1 could enable attackers to compromise the website and access backend data.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3747
7.3đ
HPUniversity Management System
itsourcecode University Management System 1 is vulnerable to a high-severity flaw that could lead to unauthorized administrative access and data manipulation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3758
7.3đ
HPOnline Art Gallery Shop
A weakness has been identified in projectworlds Online Art Gallery Shop 1 that could allow attackers to compromise the online storefront and its data.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3759
7.3
HPMultiple Products
A security vulnerability has been detected in projectworlds Online Art Gallery Shop 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3760
7.3
HPMultiple Products
A vulnerability was detected in itsourcecode University Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3765
7.3
HPMultiple Products
A vulnerability was identified in itsourcecode University Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3823
8.8đ
Atop TechnologiesEHG2408 series switch
The Atop Technologies EHG2408 series switch contains a stack-based buffer overflow allowing unauthenticated remote attackers to execute arbitrary code.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-30851
8.1
extensibleMultiple Products
Caddy is an extensible server platform that uses TLS by default
CVSS Base8.1
â
CRSSelect profile
CVE-2026-3677
8.8
TendaFH451
A vulnerability was found in Tenda FH451 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3678
8.8
TendaFH451
A vulnerability was determined in Tenda FH451 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3679
8.8
TendaFH451
A vulnerability was identified in Tenda FH451 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3726
8.8
TendaF453
A vulnerability has been found in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3727
8.8
TendaF453
A vulnerability was found in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3728
8.8
TendaF453
A vulnerability was determined in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3729
8.8
TendaF453
A vulnerability was identified in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3732
8.8
TendaF453
A security vulnerability has been detected in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3768
8.8
TendaF453
A security vulnerability has been detected in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3769
8.8
TendaF453
A vulnerability was detected in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3799
8.8
Tendai3
A flaw has been found in Tenda i3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3801
8.8
Tendai3
A vulnerability was found in Tenda i3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3802
8.8
Tendai3
A vulnerability was determined in Tenda i3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3803
8.8
Tendai3
A vulnerability was identified in Tenda i3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3804
8.8
Tendai3
A security flaw has been discovered in Tenda i3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3807
8.8
TendaFH1202
A security vulnerability has been detected in Tenda FH1202 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3808
8.8
TendaFH1202
A vulnerability was detected in Tenda FH1202 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3809
8.8
TendaFH1202
A flaw has been found in Tenda FH1202 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3810
8.8
TendaFH1202
A vulnerability has been found in Tenda FH1202 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-29778
7.1
downloadMultiple Products
pyLoad is a free and open-source download manager written in Python
CVSS Base7.1
â
CRSSelect profile
CVE-2026-28678
8.1đ
DSA Study HubDSA Study Hub Web Application
A high-severity vulnerability has been identified in the DSA Study Hub educational web application, requiring immediate vendor-supplied updates.
CVSS Base8.1
â
CRSSelect profile
CVE-2026-29779
7.5đ
CloudflareWorkers
UptimeFlare, a monitoring solution powered by Cloudflare Workers, contains a security vulnerability that could impact serverless monitoring operations.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3631
7.5
DeltaElectronics COMMGR2
Delta Electronics COMMGR2 has
Buffer Over-read DoS vulnerability
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3787
7
Archpath
A weakness has been identified in UltraVNC 1
CVSS Base7
â
CRSSelect profile
CVE-2026-30855
8.8đ
WeKnoraWeKnora LLM Framework
A high-severity vulnerability has been found in the WeKnora LLM framework, potentially impacting document understanding and semantic retrieval security.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3698
8.8
UTTMultiple Products
A vulnerability was identified in UTT HiPER 810G up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3699
8.8
UTTMultiple Products
A security flaw has been discovered in UTT HiPER 810G up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3700
8.8
UTTMultiple Products
A weakness has been identified in UTT HiPER 810G up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3701
8.8đ
H3CMagic B1 Router
A security vulnerability in the H3C Magic B1 router up to version 100R004 could allow for unauthorized device access or control.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3715
8.8đ
WavlinkWL-WN579X3-C
A high-severity vulnerability has been identified in the Wavlink WL-WN579X3-C router, specifically affecting firmware version 231124, potentially allowing for unauthorized system compromise.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-29193
8.2
ZitadelMultiple Products
ZITADEL is an open source identity management platform
CVSS Base8.2
â
CRSSelect profile
CVE-2026-29067
8.1đ
ZITADELZITADEL
ZITADEL, an open-source identity management platform, is affected by a high-severity vulnerability that could compromise identity and access management (IAM) security.
CVSS Base8.1
â
CRSSelect profile
CVE-2026-30896
7.8
QseeMultiple Products
The installer for Qsee Client versions 1
CVSS Base7.8
â
CRSSelect profile
CVE-2026-29186
7.7
developerMultiple Products
Backstage is an open framework for building developer portals
CVSS Base7.7
â
CRSSelect profile
CVE-2026-29192
7.7
ZitadelMultiple Products
ZITADEL is an open source identity management platform
CVSS Base7.7
â
CRSSelect profile
CVE-2026-29784
7.5đ
Ghost FoundationGhost
A security vulnerability has been identified in the Ghost Node.js content management system that may impact system integrity.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3693
7.3đ
Shy2593666979AgentChat
A security flaw in Shy2593666979 AgentChat up to version 2 has been identified, potentially allowing for unauthorized system manipulation.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3696
7.3
TotolinkMultiple Products
A vulnerability was found in Totolink N300RH 6
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3705
7.3
BookingMultiple Products
A vulnerability was found in code-projects Simple Flight Ticket Booking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3735
7.3
BookingMultiple Products
A vulnerability has been found in code-projects Simple Flight Ticket Booking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3736
7.3
BookingMultiple Products
A vulnerability was found in code-projects Simple Flight Ticket Booking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3740
7.3
ManagementMultiple Products
A weakness has been identified in itsourcecode University Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3757
7.3
GalleryMultiple Products
A security flaw has been discovered in projectworlds Online Art Gallery Shop 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3794
7.3
doramartMultiple Products
A vulnerability was identified in doramart DoraCMS 3