Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Wednesday's disclosed vulnerabilities center on networking infrastructure and browser security, with Totolink A8000RU routers accounting for five critical CVEs and Mozilla Firefox/Thunderbird facing a sandbox escape flaw. The brief includes 16 critical CVEs, down 50% from the prior day, and 100 high-priority issues, unchanged from yesterday. Notable critical entries include CVE-2026-7321 (CVSS 9.6) affecting Firefox and Thunderbird sandboxes, CVE-2026-7248 (CVSS 9.8) in D-Link DI devices, and CVE-2026-24178 (CVSS 9.8) in NVIDIA NVFlare Dashboard. Attack patterns trend toward remote code execution and unauthenticated access against consumer routers, IoT cameras, and enterprise dashboards. No vendor patches are currently available for the disclosed issues, requiring compensating controls and network segmentation; 13 CVEs across Apache ActiveMQ, Microsoft Defender, and SimpleHelp show active exploitation.
Totolink A8000RU routers dominate disclosures with five critical CVEs (CVE-2026-7202, 7203, 7204, 7240, 7241) at CVSS 9.8
Critical CVE volume drops 50% to 16 disclosures compared to 32 the prior day
High-priority CVE count holds steady at 100, matching yesterday's volume
Remote code execution and unauthenticated access dominate, affecting D-Link DI, NVIDIA NVFlare, and AIOT camera firmware
Patch availability sits at 0% across disclosed critical vulnerabilities, requiring interim mitigations
13 actively exploited CVEs span Apache ActiveMQ, Microsoft Defender, SimpleHelp, and ConnectWise ScreenConnect
Immediate action: Prioritize isolation and access restriction for Totolink A8000RU routers, D-Link DI devices, NVIDIA NVFlare Dashboard, and Mozilla Firefox/Thunderbird deployments where sandbox integrity is critical. With no patches available for the new critical disclosures, apply network segmentation and monitor exploitation indicators for actively exploited products including Apache ActiveMQ, Microsoft Defender, and SimpleHelp.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-34197
9.5
ApacheActiveMQ
â° Federal Deadline:April 29, 2026(1 days remaining)
Apache ActiveMQ Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-2749
9.5
KenticoKentico Xperience
â° Federal Deadline:May 3, 2026(5 days remaining)
Kentico Xperience Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-27351
9.5đ Late Disclosure
PaperCutNG/MF
â° Federal Deadline:May 3, 2026(5 days remaining)
PaperCut NG/MF Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-32975
9.5
QuestKACE Systems Management Appliance (SMA)
â° Federal Deadline:May 3, 2026(5 days remaining)
Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2024-27199
9.5đ Late Disclosure
JetBrainsTeamCity
â° Federal Deadline:May 3, 2026(5 days remaining)
JetBrains TeamCity Relative Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-33825
9.5
MicrosoftDefender
â° Federal Deadline:May 5, 2026(7 days remaining)
Microsoft Defender Insufficient Granularity of Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-39987
9.5
MarimoMarimo
â° Federal Deadline:May 6, 2026(8 days remaining)
Marimo Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-29635
9.5
D-LinkDIR-823X
â° Federal Deadline:May 7, 2026(9 days remaining)
D-Link DIR-823X Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-7399
9.5đ Late Disclosure
SamsungMagicINFO 9 Server
â° Federal Deadline:May 7, 2026(9 days remaining)
Samsung MagicINFO 9 Server Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-57728
9.5đ Late Disclosure
SimpleHelp SimpleHelp
â° Federal Deadline:May 7, 2026(9 days remaining)
SimpleHelp Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-57726
9.5đ Late Disclosure
SimpleHelp SimpleHelp
â° Federal Deadline:May 7, 2026(9 days remaining)
SimpleHelp Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-1708
9.5đ Late Disclosure
ConnectWiseScreenConnect
â° Federal Deadline:May 11, 2026(13 days remaining)
ConnectWise ScreenConnect Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-32202
9.5
MicrosoftWindows
â° Federal Deadline:May 11, 2026(13 days remaining)
Microsoft Windows Protection Mechanism Failure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-7321
9.6đ
SandboxFirefox, Thunderbird
A sandbox escape vulnerability in the WebRTC networking component allows attackers to bypass security boundaries.
CVSS Base9.6
â
CRSSelect profile
CVE-2026-7248
9.8đ
D-LinkDI
A remote buffer overflow vulnerability in the D-Link DI-8100 CGI endpoint allows for arbitrary code execution.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-24178
9.8
NVIDIANVFlare Dashboard
NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-32644
9.8đ
Specific firmwareAIOT Cameras
Milesight AIOT cameras use SSL certificates with default private keys, enabling potential man-in-the-middle attacks.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-41873
9.8đ
Pony MailPony Mail (Lua Implementation)
A request smuggling vulnerability in the retired Lua version of Pony Mail allows for unauthorized administrative account takeover.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-7202
9.8đ
TotolinkA8000RU
A remote OS command injection vulnerability in the Totolink A8000RU CGI handler allows attackers to execute arbitrary code via the wscDisabled argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-7203
9.8đ
TotolinkA8000RU
A remote OS command injection vulnerability exists in the Totolink A8000RU CGI handler, reachable via the setUrlFilterRules function and the enable argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-7204
9.8đ
TotolinkA8000RU
The Totolink A8000RU is susceptible to remote OS command injection via the setPptpServerCfg function and the enable argument in the CGI handler.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-7240
9.8đ
TotolinkA8000RU
A remote OS command injection vulnerability in the Totolink A8000RU CGI handler is reachable through the setVpnAccountCfg function's User argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-7241
9.8đ
TotolinkA8000RU
The Totolink A8000RU is vulnerable to remote OS command injection via the setWiFiBasicCfg function, triggered by the wifiOff argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-7242
9.8đ
TotolinkA8000RU
A remote OS command injection vulnerability in the Totolink A8000RU CGI handler is accessible via the setOpenVpnClientCfg function's enabled argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-7243
9.8đ
TotolinkA8000RU
The Totolink A8000RU is susceptible to remote OS command injection in the setRadvdCfg function, reachable via the maxRtrAdvInterval argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-7244
9.8đ
TotolinkA8000RU
A remote OS command injection vulnerability in the Totolink A8000RU CGI handler is reachable via the setWiFiEasyGuestCfg function's merge argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-40976
9.1đ
SpringBoot
A default web security misconfiguration in Spring Boot 4.0.0â4.0.5 allows unauthenticated access to all endpoints in specific servlet-based applications.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-41386
9.1đ
OpenClawOpenClaw
A privilege escalation vulnerability in OpenClaw during device pairing allows attackers to gain unauthorized access by manipulating device roles.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-3893
9.4đ
CarlsonVASCO-B GNSS Receiver
The Carlson VASCO-B GNSS Receiver lacks authentication, allowing unauthenticated attackers to modify configurations and operational functions.
CVSS Base9.4
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-27760
8.1
HPcode injection
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter
CVSS Base8.1
â
CRSSelect profile
CVE-2026-40858
8.8
ApacheCamel
The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java
CVSS Base8.8
â
CRSSelect profile
CVE-2025-48431
7.5
Apache ThriftThrift
Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings
CVSS Base7.5
â
CRSSelect profile
CVE-2026-41405
7.5
Teamswebhook request
OpenClaw before 2026
CVSS Base7.5
â
CRSSelect profile
CVE-2026-6741
8.8
WordPressis vulnerable
The LatePoint â Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5
CVSS Base8.8
â
CRSSelect profile
CVE-2026-40022
8.2
HTTPCamel embedded
When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel
CVSS Base8.2
â
CRSSelect profile
CVE-2026-40473
8.8
ApacheCamel
The camel-mina component's MinaConverter
CVSS Base8.8
â
CRSSelect profile
CVE-2026-27172
8.8
ApacheCamel
The ConsulRegistry in the camel-consul component (class org
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7234
7.3
InforMultiple Products
A weakness has been identified in BrowserOperator browser-operator-core up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-41604
8.2
ApacheThrift
Out-of-bounds Read vulnerability in Apache Thrift
CVSS Base8.2
â
CRSSelect profile
CVE-2026-5944
8.2
CiscoIntersight Device
An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central
CVSS Base8.2
â
CRSSelect profile
CVE-2026-40048
7.8
ApacheCamel
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>
CVSS Base7.8
â
CRSSelect profile
CVE-2026-41602
7.5
Apache ThriftThrift TFramedTransport
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation
This issue affects Apache Thrift: before 0
CVSS Base7.5
â
CRSSelect profile
CVE-2026-41636
7.5
Apache ThriftThrift Node
Uncontrolled Recursion vulnerability in Apache Thrift Node
CVSS Base7.5
â
CRSSelect profile
CVE-2026-41603
7.4
ApacheThrift
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift
CVSS Base7.4
â
CRSSelect profile
CVE-2026-38934
8.8
HPMultiple Products
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24222
8.6
NVIDIANeMoClaw contains
NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly restricted during sandbox creation
CVSS Base8.6
â
CRSSelect profile
CVE-2026-24186
8.8
NVIDIAFLARE SDK
NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7126
7.3
HPMultiple Products
A security flaw has been discovered in SourceCodester Pharmacy Sales and Inventory System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7127
7.3
HPMultiple Products
A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7128
7.3
HPMultiple Products
A security vulnerability has been detected in SourceCodester Pharmacy Sales and Inventory System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7130
7.3
HPMultiple Products
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7131
7.3
HPMultiple Products
A vulnerability has been found in code-projects Online Lot Reservation System up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7194
7.3
HPMultiple Products
A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7199
7.3
HPMultiple Products
A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7224
7.3
HPMultiple Products
A security flaw has been discovered in SourceCodester Pizzafy Ecommerce System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7225
7.3
HPMultiple Products
A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7226
7.3
HPMultiple Products
A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7227
7.3
HPMultiple Products
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7228
7.3
HPMultiple Products
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7211
7.3
ArchAPI
A weakness has been identified in dvladimirov MCP up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7098
8.8
TendaF456
A security vulnerability has been detected in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7099
8.8
TendaF456
A vulnerability was detected in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7100
8.8
TendaF456
A flaw has been found in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7101
8.8
TendaF456
A vulnerability has been found in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7119
8.8
TendaHG3
A vulnerability was detected in Tenda HG3 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7151
8.8
TendaHG3
A vulnerability was determined in Tenda HG3 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7288
8.8
D-LinkDIR
A vulnerability has been found in D-Link DIR-825M 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7289
8.8
D-LinkDIR
A vulnerability was found in D-Link DIR-825M 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-30350
7.5
Protocolendpoint of
An issue in the /store/items/search endpoint of Agent Protocol server commit e9a89f allows attackers to cause a Denial of Service (DoS) via a crafted POST request
CVSS Base7.5
â
CRSSelect profile
CVE-2026-40978
8.8
SpringMultiple Products
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs
CVSS Base8.8
â
CRSSelect profile
CVE-2026-40972
7.5
InforMultiple Products
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret
CVSS Base7.5
â
CRSSelect profile
CVE-2026-3323
7.5
InforMultiple Products
An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes
CVSS Base7.5
â
CRSSelect profile
CVE-2026-38651
8.2
priorMultiple Products
Authentication Bypass vulnerability exists in Netmaker versions prior to 1
CVSS Base8.2
â
CRSSelect profile
CVE-2026-41463
8.8
ProjeQtorMultiple Products
ProjeQtor versions 7
CVSS Base8.8
â
CRSSelect profile
CVE-2025-69689
8.8
its Open FileMultiple Products
The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7160
8.8
AcerMultiple Products
A vulnerability was determined in Tenda HG3 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-27785
8.8
SpecificMultiple Products
Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials
CVSS Base8.8
â
CRSSelect profile
CVE-2026-20766
8.8
UnknownMultiple Products
An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras
CVSS Base8.8
â
CRSSelect profile
CVE-2026-41378
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-41404
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-42422
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-42426
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-40967
8.6
UnknownMultiple Products
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages
CVSS Base8.6
â
CRSSelect profile
CVE-2026-41371
8.5
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.5
â
CRSSelect profile
CVE-2026-41914
8.5
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.5
â
CRSSelect profile
CVE-2026-41394
8.2
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.2
â
CRSSelect profile
CVE-2026-41364
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
â
CRSSelect profile
CVE-2026-41383
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
â
CRSSelect profile
CVE-2026-42431
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
â
CRSSelect profile
CVE-2026-42167
8.1
ProFTPDMultiple Products
mod_sql in ProFTPD before 1
CVSS Base8.1
â
CRSSelect profile
CVE-2026-5940
7.8
UnknownMultiple Products
Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes
CVSS Base7.8
â
CRSSelect profile
CVE-2026-5941
7.8
ArchMultiple Products
Parsing logic flaws cause non-signature data to be misidentified as valid signatures when processing malformed form field hierarchies, leading to invalid memory writes and program crashes during internal data structure construction
CVSS Base7.8
â
CRSSelect profile
CVE-2026-5943
7.8
InforMultiple Products
Document structural anomalies caused inconsistencies between page element relationships and internal index states
CVSS Base7.8
â
CRSSelect profile
CVE-2026-7279
7.8
UnknownMultiple Products
AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory, resulting in arbitrary code execution with system privileges when the system loads the DLL
CVSS Base7.8
â
CRSSelect profile
CVE-2026-41384
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
â
CRSSelect profile
CVE-2026-41387
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
â
CRSSelect profile
CVE-2026-41396
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
â
CRSSelect profile
CVE-2026-42432
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
â
CRSSelect profile
CVE-2026-42379
7.7
WPDeveloperMultiple Products
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data
CVSS Base7.7
â
CRSSelect profile
CVE-2026-41649
7.7
UnknownMultiple Products
Outline is a service that allows for collaborative documentation
CVSS Base7.7
â
CRSSelect profile
CVE-2026-41912
7.6
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.6
â
CRSSelect profile
CVE-2026-7040
7.5
UnknownMultiple Products
Text::Minify::XS versions from v0
CVSS Base7.5
â
CRSSelect profile
CVE-2026-30351
7.5
autocoderMultiple Products
A path traversal vulnerability in the UI/static component of leonvanzyl autocoder commit 79d02a allows attackers to read arbitrary files via sending crafted URL path containing traversal sequences
CVSS Base7.5
â
CRSSelect profile
CVE-2025-69428
7.5
UnknownMultiple Products
An issue in Pro-Bit before v1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-31256
7.5
UnknownMultiple Products
A null pointer dereference vulnerability exists in the RTSP service of the MERCURY MIPC252W 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-67223
7.5
FileMultiple Products
The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8
CVSS Base7.5
â
CRSSelect profile
CVE-2026-7320
7.5
InforMultiple Products
Information disclosure due to incorrect boundary conditions in the Audio/Video component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-41395
7.5
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.5
â
CRSSelect profile
CVE-2026-41399
7.5
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.5
â
CRSSelect profile
CVE-2026-42423
7.5
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.5
â
CRSSelect profile
CVE-2026-7146
7.3
InforMultiple Products
A security vulnerability has been detected in AlejandroArciniegas mcp-data-vis up to de5a51525a69822290eaee569a1ab447b490746d
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7147
7.3
InforMultiple Products
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7149
7.3
InforMultiple Products
A vulnerability has been found in dexhunter kaggle-mcp up to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7157
7.3
InforMultiple Products
A flaw has been found in disler aider-mcp-server up to b2516fa466d0d851932da92ee6d0e66946db9efc
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7158
7.3
InforMultiple Products
A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7159
7.3
UnknownMultiple Products
A vulnerability was found in douinc mkdocs-mcp-plugin up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7177
7.3
InforMultiple Products
A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7178
7.3
InforMultiple Products
A weakness has been identified in ChatGPTNextWeb NextChat up to 2
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7205
7.3
ArchMultiple Products
A vulnerability was identified in duartium papers-mcp-server 9ceb3812a6458ba7922ca24a7406f8807bc55598
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7206
7.3
UnknownMultiple Products
A security flaw has been discovered in dubydu sqlite-mcp up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7212
7.3
InforMultiple Products
A security vulnerability has been detected in edvardlindelof notes-mcp up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7213
7.3
InforMultiple Products
A vulnerability was detected in ef10007 MLOps_MCP 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7214
7.3
eghuzefaMultiple Products
A vulnerability was identified in eghuzefa engineer-your-data up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7215
7.3
InforMultiple Products
A security flaw has been discovered in egtai gmx-vmd-mcp up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7216
7.3
InforMultiple Products
A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7220
7.3
FastlyMultiple Products
A vulnerability has been found in jackwrichards FastlyMCP up to 6f3d0b0e654fc51076badc7fa16c03c461f95620
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7221
7.3
UnknownMultiple Products
A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7223
7.3
InforMultiple Products
A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2
CVSS Base7.3
â
CRSSelect profile
CVE-2026-7237
7.3
UnknownMultiple Products
A vulnerability was detected in AgiFlow scaffold-mcp up to 1