Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Today's Security Brief
Saturday's vulnerability disclosures include a maximum-severity sandbox escape in SandboxJS (CVE-2026-26954, CVSS 10.0) and critical remote code execution flaws in GNU inetutils telnetd (CVE-2026-32746) and HMS Networks Ewon industrial gateways (CVE-2026-25823, CVE-2026-25818). Nine critical vulnerabilities were disclosed, a 10% decrease from the prior day, alongside 100 high-priority issues holding steady. Actively exploited vulnerabilities rose 18% to 13, with confirmed exploitation targeting Ivanti Endpoint Manager (CVE-2026-1603), Broadcom VMware Aria Operations (CVE-2026-22719), and Qualcomm chipsets (CVE-2026-21385). Attack patterns center on remote code execution, authentication bypass, and privilege escalation across enterprise infrastructure, ICS/SCADA systems, and mobile platforms. No patches are currently available for Saturday's disclosures, requiring organizations to prioritize compensating controls and network segmentation.
9 critical CVEs disclosed (down 10% from prior day), including RCE flaws in GNU inetutils telnetd and OneUptime monitoring platform
100 high-priority CVEs maintained the same volume as the prior day, spanning enterprise and consumer products
ICS/SCADA exposure from HMS Networks Ewon Flexy and Cosy+ gateway vulnerabilities (CVSS 9.8 and 9.1) affecting industrial control environments
0% patch availability across Saturday's disclosures — compensating controls and network isolation are the primary mitigation path
13 actively exploited vulnerabilities confirmed, including Ivanti EPM, VMware Aria Operations, and multiple Apple products
Immediate action: Prioritize network segmentation for systems running SandboxJS, GNU inetutils telnetd, HMS Networks Ewon gateways, and Ivanti Endpoint Manager, as these represent the highest-risk attack surfaces from this disclosure cycle. With no patches currently available, implement compensating controls including WAF rules, access restrictions, and enhanced monitoring for exploitation indicators on affected platforms.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2026-25108
9.5📝
Soliton Systems K.KFileZen
⏰ Federal Deadline:March 16, 2026(3 days remaining)
FileZen is affected by a high-severity OS command injection vulnerability that allows a threat actor to execute arbitrary commands on the underlying operating system.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2021-22054
9.5📜 Late Disclosure
OmnissaWorkspace One UEM
⏰ Federal Deadline:March 22, 2026(9 days remaining)
Omnissa Workspace ONE Server-Side Request Forgery - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-1603
9.5
Ivanti Endpoint Manager (EPM)
⏰ Federal Deadline:March 22, 2026(9 days remaining)
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-22719
9.5📝
BroadcomVMware Aria Operations
⏰ Federal Deadline:March 23, 2026(10 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-21385
9.5📝
QualcommMultiple Chipsets
⏰ Federal Deadline:March 23, 2026(10 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-68613
9.5📝
n8nn8n
⏰ Federal Deadline:March 24, 2026(11 days remaining)
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2017-7921
9.5📜 Late Disclosure
HikvisionMultiple Products
⏰ Federal Deadline:March 25, 2026(12 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2021-22681
9.5📜 Late Disclosure
RockwellMultiple Products
⏰ Federal Deadline:March 25, 2026(12 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2023-43000
9.5📜 Late Disclosure
AppleMultiple Products
⏰ Federal Deadline:March 25, 2026(12 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2021-30952
9.5📜 Late Disclosure
AppleMultiple Products
⏰ Federal Deadline:March 25, 2026(12 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2023-41974
9.5📜 Late Disclosure
AppleiOS and iPadOS
⏰ Federal Deadline:March 25, 2026(12 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
🚨
Critical Vulnerabilities
CVE-2026-32306
9.9📝
OneUptimeOneUptime
OneUptime versions prior to 10.0.23 are vulnerable to SQL injection in the telemetry aggregation API due to improper interpolation of user-controlled parameters into ClickHouse queries.
CVSS Base9.9
→
CRSSelect profile
CVE-2026-3891
9.8📝
WordPressis vulnerable
The Pix for WooCommerce WordPress plugin (up to 1.5.0) is vulnerable to unauthenticated arbitrary file uploads due to missing capability checks and file type validation.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-26954
10📝
SandboxJSSandboxJS
SandboxJS versions prior to 0.8.34 allow attackers to escape the JavaScript sandbox by obtaining arrays containing Function objects, leading to arbitrary code execution.
CVSS Base10
→
CRSSelect profile
CVE-2026-32304
9.8📝
LocutusLocutus
The Locutus library prior to version 3.0.14 is vulnerable to arbitrary code execution because the `create_function` implementation passes unsanitized input to the Function constructor.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-31886
9.1📝
LinuxDagu
A path traversal vulnerability in Dagu's workflow engine allows attackers to manipulate the dagRunId field to delete arbitrary directories, including the system temporary directory.
CVSS Base9.1
→
CRSSelect profile
CVE-2026-25823
9.8📝
HMS NetworksEwon Flexy and Cosy+
A stack buffer overflow in HMS Networks Ewon Flexy and Cosy+ devices allows unauthenticated remote code execution or denial of service via malicious network requests.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-32746
9.8📝
GNUinetutils (telnetd)
GNU inetutils telnetd through version 2.7 contains an out-of-bounds write vulnerability in the LINEMODE SLC suboption handler due to missing buffer checks.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-32301
9.3📝
CentrifugoCentrifugo
Centrifugo versions prior to 6.7.0 are vulnerable to Server-Side Request Forgery (SSRF) when using dynamic JWKS endpoints, allowing unauthenticated attackers to trigger outbound HTTP requests.
CVSS Base9.3
→
CRSSelect profile
CVE-2026-25818
9.1📝
HMS NetworksEwon Flexy and Cosy+
HMS Networks Ewon Flexy and Cosy+ devices suffer from weak entropy in authentication cookies, enabling attackers to brute-force encryption parameters and recover user passwords.
CVSS Base9.1
→
CRSSelect profile
⚠️
High Priority Updates
⚠️ CISA KEV
CVE-2026-3909
8.8📝
GoogleChrome prior
⏰ Federal Deadline:March 26, 2026(13 days remaining)
Google Chrome versions prior to 146 contain an out-of-bounds write vulnerability in the Skia graphics engine, which is currently being exploited in the wild.
CVSS Base8.8
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-3910
8.8📝
GoogleChrome prior
⏰ Federal Deadline:March 26, 2026(13 days remaining)
Google Chrome versions prior to 146 feature an inappropriate implementation in the V8 JavaScript engine that is currently being exploited in the wild to achieve code execution.
CVSS Base8.8
→
CRSSelect profile
CVE-2026-32426
7.5
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion
CVSS Base7.5
→
CRSSelect profile
CVE-2019-25482
8.2📜 Late Disclosure
HPHazir Rent
Jettweb PHP Hazir Rent A Car Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the arac_kategori_id parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25508
8.2📜 Late Disclosure
HPHazir Ilan
Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25511
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the videoid parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25513
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25516
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gallery_id parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25517
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25518
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the poll parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25519
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the option parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25535
8.2📜 Late Disclosure
HPDating Site
Netartmedia PHP Dating Site contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25488
8.2📜 Late Disclosure
HPendpoint to
Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25509
8.2📜 Late Disclosure
HPwith malicious
XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25521
8.2📜 Late Disclosure
HPwith malicious
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25522
8.2📜 Late Disclosure
HPwith malicious
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25523
8.2📜 Late Disclosure
HPwith malicious
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25524
8.2📜 Late Disclosure
HPwith malicious
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25530
8.2📜 Late Disclosure
HPwith malicious
uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25539
8.2📜 Late Disclosure
HPwith crafted
202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2026-21672
8.8
ReplicationBackup
A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers
CVSS Base8.8
→
CRSSelect profile
CVE-2026-32400
7.5
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemetechMount Boldman boldman allows PHP Local File Inclusion
CVSS Base7.5
→
CRSSelect profile
CVE-2019-25481
8.2📜 Late Disclosure
Archendpoint with
iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25510
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V2 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25512
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25514
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25520
8.2📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25534
8.2📜 Late Disclosure
HPCar Dealer
Netartmedia PHP Car Dealer contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25515
7.5📜 Late Disclosure
HPHazir Haber
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login
CVSS Base7.5
→
CRSSelect profile
CVE-2019-25533
8.2📜 Late Disclosure
HPBusiness Directory
Netartmedia PHP Business Directory 4
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25536
8.2📜 Late Disclosure
HPReal Estate
Netartmedia PHP Real Estate Agency 4
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25540
8.2📜 Late Disclosure
HPMall
Netartmedia PHP Mall 4
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25541
8.2📜 Late Disclosure
HPMall
Netartmedia PHP Mall 4
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25479
8.2📜 Late Disclosure
InforMultiple Products
Inout RealEstate contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the city parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25538
8.2📜 Late Disclosure
InforMultiple Products
202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25531
8.2📜 Late Disclosure
HPthat allows
Netartmedia Deals Portal contains an SQL injection vulnerability in the Email parameter of loginaction
CVSS Base8.2
→
CRSSelect profile
CVE-2026-32260
8.1📝
Deno LandDeno
A vulnerability in the Deno runtime environment could allow for unauthorized code execution or security sandbox escape during the processing of JavaScript or TypeScript.
CVSS Base8.1
→
CRSSelect profile
CVE-2026-2890
7.5
WordPressis vulnerable
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6
CVSS Base7.5
→
CRSSelect profile
CVE-2026-32319
7.5
EllaMultiple Products
Ella Core is a 5G core designed for private networks
CVSS Base7.5
→
CRSSelect profile
CVE-2026-3045
7.5
WordPressis vulnerable
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1
CVSS Base7.5
→
CRSSelect profile
CVE-2019-25532
8.2📜 Late Disclosure
HPwith crafted
Netartmedia Jobs Portal 6
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25537
8.2📜 Late Disclosure
HPwith malicious
Netartmedia Event Portal 2
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25542
8.2📜 Late Disclosure
HPwith malicious
Netartmedia Real Estate Portal 5
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25543
8.2📜 Late Disclosure
HPwith malicious
Netartmedia Real Estate Portal 5
CVSS Base8.2
→
CRSSelect profile
CVE-2026-22182
7.5
HPendpoint with
wpDiscuz before 7
CVSS Base7.5
→
CRSSelect profile
CVE-2026-31944
7.6📝
AtlassianLibreChat
LibreChat, an open-source ChatGPT clone, contains a vulnerability that could allow for unauthorized access to application features or user data.
CVSS Base7.6
→
CRSSelect profile
CVE-2025-13777
8.3
ABB AWINAWIN GW100
Authentication bypass by capture-replay vulnerability in ABB AWIN GW100 rev
CVSS Base8.3
→
CRSSelect profile
CVE-2026-25529
8.1
SMTPMultiple Products
Postal is an open source SMTP server
CVSS Base8.1
→
CRSSelect profile
CVE-2026-4041
8.8
Tendai12
A security flaw has been discovered in Tenda i12 1
CVSS Base8.8
→
CRSSelect profile
CVE-2026-4042
8.8
Tendai12
A weakness has been identified in Tenda i12 1
CVSS Base8.8
→
CRSSelect profile
CVE-2026-4043
8.8
Tendai12
A security vulnerability has been detected in Tenda i12 1
CVSS Base8.8
→
CRSSelect profile
CVE-2026-21670
7.7📝
Affected SoftwareAffected Software
A security flaw allows a low-privileged local user to extract saved SSH credentials from the affected software's storage or memory.
CVSS Base7.7
→
CRSSelect profile
CVE-2026-28356
7.5
UnknownMultiple Products
multipart is a fast multipart/form-data parser for python
CVSS Base7.5
→
CRSSelect profile
CVE-2026-32597
7.5
UnknownMultiple Products
PyJWT is a JSON Web Token implementation in Python
CVSS Base7.5
→
CRSSelect profile
CVE-2025-13779
8.3
ABB AWINAWIN GW100
Missing authentication for critical function vulnerability in ABB AWIN GW100 rev
CVSS Base8.3
→
CRSSelect profile
CVE-2026-31917
8.5
weDevs WP ERP erpMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP erp allows SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2026-31922
8.5
Ays Pro Fox LMSMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2026-32366
8.5
robfelty CollapsingMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Categories collapsing-categories allows Blind SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2026-32368
8.5
delphiknight Geo toMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2026-32399
8.5
David Lingren MediaMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Blind SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2026-32422
8.5
levelfourdevelopmentMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2026-32433
8.5
codepeople CP ContactMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2026-32459
8.5
flycart UpsellWPMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Blind SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2026-32358
7.6
wpdevelop BookingMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection
CVSS Base7.6
→
CRSSelect profile
CVE-2026-32418
7.6
Jordy Meow MeowMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection
CVSS Base7.6
→
CRSSelect profile
CVE-2026-32458
7.6
RealMag777Multiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 WOLF bulk-editor allows Blind SQL Injection
CVSS Base7.6
→
CRSSelect profile
CVE-2026-21668
8.8
UnknownMultiple Products
A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository
CVSS Base8.8
→
CRSSelect profile
CVE-2026-26794
8.8
UnknownMultiple Products
GL-iNet GL-AR300M16 v4
CVSS Base8.8
→
CRSSelect profile
CVE-2026-32137
8.8
UnknownMultiple Products
Dataease is an open source data visualization analysis tool
CVSS Base8.8
→
CRSSelect profile
CVE-2026-32140
8.8
ArchMultiple Products
Dataease is an open source data visualization analysis tool
CVSS Base8.8
→
CRSSelect profile
CVE-2026-25817
8.8
firmwareMultiple Products
HMS Networks Ewon Flexy with firmware before 15
CVSS Base8.8
→
CRSSelect profile
CVE-2026-32246
8.5
authorizationMultiple Products
Tinyauth is an authentication and authorization server
CVSS Base8.5
→
CRSSelect profile
CVE-2026-28793
8.4
UnknownMultiple Products
Tina is a headless content management system
CVSS Base8.4
→
CRSSelect profile
CVE-2019-25525
8.2📜 Late Disclosure
ArchMultiple Products
Inout EasyRooms Ultimate Edition v1
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25526
8.2📜 Late Disclosure
ArchMultiple Products
Inout EasyRooms Ultimate Edition v1
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25527
8.2📜 Late Disclosure
ArchMultiple Products
Inout EasyRooms Ultimate Edition v1
CVSS Base8.2
→
CRSSelect profile
CVE-2019-25528
8.2📜 Late Disclosure
ArchMultiple Products
Inout EasyRooms Ultimate Edition v1
CVSS Base8.2
→
CRSSelect profile
CVE-2026-32138
8.2
UnknownMultiple Products
NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester
CVSS Base8.2
→
CRSSelect profile
CVE-2026-32231
8.2
UnknownMultiple Products
ZeptoClaw is a personal AI assistant
CVSS Base8.2
→
CRSSelect profile
CVE-2026-32247
8.1
ArchMultiple Products
Graphiti is a framework for building and querying temporal context graphs for AI agents
CVSS Base8.1
→
CRSSelect profile
CVE-2026-22193
8.1
wpDiscuzMultiple Products
wpDiscuz before 7
CVSS Base8.1
→
CRSSelect profile
CVE-2026-22202
8.1
wpDiscuzMultiple Products
wpDiscuz before 7
CVSS Base8.1
→
CRSSelect profile
CVE-2026-32302
8.1
UnknownMultiple Products
OpenClaw is a personal AI assistant
CVSS Base8.1
→
CRSSelect profile
CVE-2026-27940
7.8
UnknownMultiple Products
llama
CVSS Base7.8
→
CRSSelect profile
CVE-2026-0954
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted DSB file in Digilent DASYLab
CVSS Base7.8
→
CRSSelect profile
CVE-2026-0955
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds read when loading a corrupted file in Digilent DASYLab
CVSS Base7.8
→
CRSSelect profile
CVE-2026-0956
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds read when loading a corrupted file in Digilent DASYLab
CVSS Base7.8
→
CRSSelect profile
CVE-2026-0957
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted file in Digilent DASYLab
CVSS Base7.8
→
CRSSelect profile
CVE-2026-21887
7.7📝
IntelOpenCTI
A security vulnerability in the OpenCTI platform could allow for unauthorized access or disruption of cyber threat intelligence knowledge management.
CVSS Base7.7
→
CRSSelect profile
CVE-2026-32308
7.6
UnknownMultiple Products
OneUptime is a solution for monitoring and managing online services
CVSS Base7.6
→
CRSSelect profile
CVE-2026-32141
7.5
UnknownMultiple Products
flatted is a circular JSON parser
CVSS Base7.5
→
CRSSelect profile
CVE-2026-1526
7.5
WebSocketMultiple Products
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression
CVSS Base7.5
→
CRSSelect profile
CVE-2026-1528
7.5
ImpactAMultiple Products
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length
CVSS Base7.5
→
CRSSelect profile
CVE-2026-2229
7.5
WebSocketMultiple Products
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension
CVSS Base7.5
→
CRSSelect profile
CVE-2026-25819
7.5
firmwareMultiple Products
HMS Networks Ewon Flexy with firmware before 15
CVSS Base7.5
→
CRSSelect profile
CVE-2026-31882
7.5
workflowMultiple Products
Dagu is a workflow engine with a built-in Web user interface
CVSS Base7.5
→
CRSSelect profile
CVE-2026-31899
7.5
UnknownMultiple Products
CairoSVG is an SVG converter based on Cairo, a 2D graphics library
CVSS Base7.5
→
CRSSelect profile
CVE-2026-4111
7.5
ArchMultiple Products
A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path
CVSS Base7.5
→
CRSSelect profile
CVE-2026-28791
7.4
UnknownMultiple Products
Tina is a headless content management system
CVSS Base7.4
→
CRSSelect profile
CVE-2026-32242
7.4
ParseMultiple Products
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node