Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Saturday's disclosures center on Azure IoT Central, Saltcorn, and Clerk identity platforms, with multiple critical flaws scoring 9.8 or higher across cloud and authentication infrastructure. The brief covers 19 critical CVEs (down 49% from yesterday) and 72 high-priority issues (down 21%). Notable critical entries include CVE-2026-21515 (CVSS 9.9) in Azure IoT Central, CVE-2026-41478 (CVSS 9.9) in Saltcorn, and CVE-2026-1949 (CVSS 9.8) in Delta Electronics AS320T industrial controllers. Remote code execution and authentication bypass dominate the attack patterns, with cloud services, ICS hardware, and developer authentication libraries all represented. Patches are not yet broadly available for today's disclosures, so defenders should rely on access controls and monitoring while vendor fixes propagate.
Azure IoT Central CVE-2026-21515 (CVSS 9.9) and Saltcorn CVE-2026-41478 (CVSS 9.9) lead today's critical disclosures
19 critical CVEs disclosed, a 49% decrease from yesterday's 37
72 high-priority CVEs disclosed, a 21% decrease from yesterday's 91
Remote code execution and authentication bypass affect Clerk identity, Delta Electronics ICS, and AWS Ops Wheel
0% patch availability across today's critical set; mitigations and access restrictions are the near-term control
19 actively exploited entries span Microsoft Office, SharePoint, Adobe Acrobat, Apache ActiveMQ, and SimpleHelp
Immediate action: Prioritize Azure IoT Central, Saltcorn, Clerk, and Delta Electronics AS320T deployments for immediate review, and isolate exposed instances pending vendor fixes. With no patches yet available for today's critical CVEs, apply network segmentation, restrict management interfaces, and monitor for exploitation indicators on Microsoft, Adobe, and SimpleHelp products listed in the actively exploited set.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2012-1854
9.5π Late Disclosure
MicrosoftVisual Basic for Applications (VBA)
β° Federal Deadline:April 26, 2026(2 days remaining)
Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-60710
9.5
MicrosoftWindows
β° Federal Deadline:April 26, 2026(2 days remaining)
Microsoft Windows Link Following Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2023-21529
9.5π Late Disclosure
MicrosoftExchange Server
β° Federal Deadline:April 26, 2026(2 days remaining)
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2023-36424
9.5π Late Disclosure
MicrosoftWindows
β° Federal Deadline:April 26, 2026(2 days remaining)
Microsoft Windows Out-of-Bounds Read Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2020-9715
9.5π Late Disclosure
AdobeAcrobat
β° Federal Deadline:April 26, 2026(2 days remaining)
Adobe Acrobat Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-34621
9.5π
AdobeAcrobat and Reader
β° Federal Deadline:April 26, 2026(2 days remaining)
Adobe Acrobat Reader is vulnerable to prototype pollution, which can result in arbitrary code execution when a victim opens a malicious file.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2009-0238
9.5π Late Disclosure
MicrosoftOffice
β° Federal Deadline:April 27, 2026(3 days remaining)
Microsoft Office Remote Code Execution - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-32201
9.5
MicrosoftSharePoint Server
β° Federal Deadline:April 27, 2026(3 days remaining)
Microsoft SharePoint Server Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-34197
9.5
ApacheActiveMQ
β° Federal Deadline:April 29, 2026(5 days remaining)
Apache ActiveMQ Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-2749
9.5
KenticoKentico Xperience
β° Federal Deadline:May 3, 2026(9 days remaining)
Kentico Xperience Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-27351
9.5π Late Disclosure
PaperCutNG/MF
β° Federal Deadline:May 3, 2026(9 days remaining)
PaperCut NG/MF Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-32975
9.5
QuestKACE Systems Management Appliance (SMA)
β° Federal Deadline:May 3, 2026(9 days remaining)
Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2024-27199
9.5π Late Disclosure
JetBrainsTeamCity
β° Federal Deadline:May 3, 2026(9 days remaining)
JetBrains TeamCity Relative Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-33825
9.5
MicrosoftDefender
β° Federal Deadline:May 5, 2026(11 days remaining)
Microsoft Defender Insufficient Granularity of Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-39987
9.5
MarimoMarimo
β° Federal Deadline:May 6, 2026(12 days remaining)
Marimo Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-29635
9.5
D-LinkDIR-823X
β° Federal Deadline:May 7, 2026(13 days remaining)
D-Link DIR-823X Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2024-7399
9.5π Late Disclosure
SamsungMagicINFO 9 Server
β° Federal Deadline:May 7, 2026(13 days remaining)
Samsung MagicINFO 9 Server Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2024-57728
9.5π Late Disclosure
SimpleHelp SimpleHelp
β° Federal Deadline:May 7, 2026(13 days remaining)
SimpleHelp Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2024-57726
9.5π Late Disclosure
SimpleHelp SimpleHelp
β° Federal Deadline:May 7, 2026(13 days remaining)
SimpleHelp Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-39920
9.8
ArchMultiple Products
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-21515
9.9
AzureIOT Central
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-41327
9.1
UnknownMultiple Products
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-41478
9.9
SaltcornMultiple Products
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcornβs mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-41492
9.8
UnknownMultiple Products
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-41328
9.1
UnknownMultiple Products
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-41248
9.1
ClerkMultiple Products
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
CVSS Base9.1
β
CRSSelect profile
CVE-2026-1949
9.8π
DeltaElectronics AS320T
Delta Electronics AS320T is vulnerable to a stack-based buffer overflow due to incorrect buffer size calculations in its web service's GET/PUT request handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6911
9.8
AWSOps Wheel
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint.
To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6951
9.8
UnknownMultiple Products
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1950
9.8
DeltaElectronics AS320T
Delta Electronics AS320T has
No checking of the length of the buffer with the file name vulnerability.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1951
9.8
DeltaElectronics AS320T
Delta Electronics AS320T has no checking of the length of the buffer with the directory name
vulnerability.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1952
9.8
DeltaElectronics AS320T
Delta Electronics AS320T has denial of service via the undocumented subfunctionΒ vulnerability.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-25775
9.8
SenseLiveΒ X3050Multiple Products
A vulnerability inΒ SenseLiveΒ X3050βs remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-27843
9.1π
SenseLiveX3050
A vulnerability in the SenseLive X3050 web management interface allows unauthorized modification of configuration parameters, leading to a persistent Denial-of-Service (DoS).
CVSS Base9.1
β
CRSSelect profile
CVE-2026-41428
9.1π
ArchBudibase
Budibase contains an authentication bypass vulnerability where unanchored regular expressions allow attackers to access protected endpoints via crafted query strings.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-35503
9.8π
SenseLive X3050X3050 Management Interface
The SenseLive X3050 web management interface is vulnerable to an authentication bypass due to client-side logic that relies on hardcoded values instead of secure server-side verification.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40620
9.8π
SenseLiveΒ X3050X3050
The SenseLive X3050 embedded management service lacks any authentication or authorization, allowing unauthenticated attackers full administrative control over the device.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40630
9.8π
SenseLive
X3050X3050
Improper access control enforcement in the SenseLive X3050 web management interface allows unauthorized users to interact with sensitive configuration endpoints.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-33317
8.7
Linuxkernel running
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology
CVSS Base8.7
β
CRSSelect profile
CVE-2026-26150
8.6
MicrosoftPurview allows
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network
CVSS Base8.6
β
CRSSelect profile
CVE-2026-6921
8.3
GoogleChrome on
Race in GPU in Google Chrome on Windows prior to 147
CVSS Base8.3
β
CRSSelect profile
CVE-2026-5364
8.1
WordPressis vulnerable
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1
CVSS Base8.1
β
CRSSelect profile
CVE-2026-32172
8
MicrosoftPower Apps
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network
CVSS Base8
β
CRSSelect profile
CVE-2026-33662
7.5
Linuxkernel running
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology
CVSS Base7.5
β
CRSSelect profile
CVE-2026-31952
7.6
APIMultiple Products
Xibo is an open source digital signage platform with a web content management system and Windows display player software
CVSS Base7.6
β
CRSSelect profile
CVE-2026-41246
8.1
Kubernetesingress controller
Contour is a Kubernetes ingress controller using Envoy proxy
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41429
8.8
UnknownMultiple Products
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41309
8.2
HPMultiple Products
Open Source Social Network (OSSN) is open-source social networking software developed in PHP
CVSS Base8.2
β
CRSSelect profile
CVE-2026-41323
8.1
TeamsMultiple Products
Kyverno is a policy engine designed for cloud native platform engineering teams
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40466
8.8
Apache ActiveMQActiveMQ Broker
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41044
8.8
ApacheActiveMQ
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41068
7.7
TeamsMultiple Products
Kyverno is a policy engine designed for cloud native platform engineering teams
CVSS Base7.7
β
CRSSelect profile
CVE-2026-41485
7.7
TeamsMultiple Products
Kyverno is a policy engine designed for cloud native platform engineering teams
CVSS Base7.7
β
CRSSelect profile
CVE-2026-42033
7.4
HTTPMultiple Products
Axios is a promise based HTTP client for the browser and Node
CVSS Base7.4
β
CRSSelect profile
CVE-2026-42035
7.4
HTTPMultiple Products
Axios is a promise based HTTP client for the browser and Node
CVSS Base7.4
β
CRSSelect profile
CVE-2026-5464
7.2
GoogleAnalytics Dashboard
The ExactMetrics β Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9
CVSS Base7.2
β
CRSSelect profile
CVE-2026-42043
7.2
HTTPMultiple Products
Axios is a promise based HTTP client for the browser and Node
CVSS Base7.2
β
CRSSelect profile
CVE-2026-23902
8.1
ApacheDolphinScheduler allows
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41278
7.5
Dockervalidation revealed
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.5
β
CRSSelect profile
CVE-2026-6912
8.8
AWSOps Wheel
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute
CVSS Base8.8
β
CRSSelect profile
CVE-2026-40886
7.7
KubernetesMultiple Products
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes
CVSS Base7.7
β
CRSSelect profile
CVE-2026-41316
8.1
UnknownMultiple Products
ERB is a templating system for Ruby
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41241
8.7
Archin the
pretalx is a conference planning tool
CVSS Base8.7
β
CRSSelect profile
CVE-2026-41066
7.5
UnknownMultiple Products
lxml is a library for processing XML and HTML in the Python language
CVSS Base7.5
β
CRSSelect profile
CVE-2026-6947
7.5
D-Linkhas
DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21728
7.5
Archconfig
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41414
7.4
GitHubuser can
Skim is a fuzzy finder designed to through files, lines, and commands
CVSS Base7.4
β
CRSSelect profile
CVE-2026-41272
7.1
AWSallow attackers
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.1
β
CRSSelect profile
CVE-2026-41359
7.1
OpenClawconfiguration and
OpenClaw before 2026
CVSS Base7.1
β
CRSSelect profile
CVE-2026-6903
7.5
WebMultiple Products
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41137
8.8
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41138
8.8
AirtableAgentMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41277
8.8
DocumentStoreMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41349
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41352
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-33318
8.8
UnknownMultiple Products
Actual is a local-first personal finance tool
CVSS Base8.8
β
CRSSelect profile
CVE-2026-40897
8.8
UnknownMultiple Products
Math
CVSS Base8.8
β
CRSSelect profile
CVE-2026-41421
8.8
UnknownMultiple Products
SiYuan is an open-source personal knowledge management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5367
8.6
InforMultiple Products
A flaw was found in OVN (Open Virtual Network)
CVSS Base8.6
β
CRSSelect profile
CVE-2026-41461
8.5
SocialEngineMultiple Products
SocialEngine versions 7
CVSS Base8.5
β
CRSSelect profile
CVE-2026-41433
8.4
UnknownMultiple Products
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard
CVSS Base8.4
β
CRSSelect profile
CVE-2026-41271
8.3
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.3
β
CRSSelect profile
CVE-2026-41273
8.2
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.2
β
CRSSelect profile
CVE-2026-41267
8.1
accountMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41353
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-27841
8.1
SenseLiveMultiple Products
A vulnerability inΒ SenseLiveΒ X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39462
8.1
UnknownMultiple Products
A vulnerability exists inΒ SenseLive X3050βs web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40623
8.1
SenseLiveMultiple Products
A vulnerability inΒ SenseLiveΒ X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls
CVSS Base8.1
β
CRSSelect profile
CVE-2026-33999
7.8
UnknownMultiple Products
A flaw was found in the X
CVSS Base7.8
β
CRSSelect profile
CVE-2026-34001
7.8
UnknownMultiple Products
A flaw was found in the X
CVSS Base7.8
β
CRSSelect profile
CVE-2026-34003
7.8
InforMultiple Products
A flaw was found in the X
CVSS Base7.8
β
CRSSelect profile
CVE-2026-41336
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
β
CRSSelect profile
CVE-2026-41477
7.8
UnknownMultiple Products
Deskflow is a keyboard and mouse sharing app
CVSS Base7.8
β
CRSSelect profile
CVE-2026-42171
7.8
UnknownMultiple Products
NSIS (Nullsoft Scriptable Install System) 3
CVSS Base7.8
β
CRSSelect profile
CVE-2026-41419
7.6
ArchMultiple Products
4ga Boards is a boards system for realtime project management
CVSS Base7.6
β
CRSSelect profile
CVE-2026-41266
7.5
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41275
7.5
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41279
7.5
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35064
7.5
SenseLiveMultiple Products
A vulnerability inΒ SenseLiveΒ X3050βs management ecosystem allows unauthenticated discovery of deployed units through the vendorβs management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials
CVSS Base7.5
β
CRSSelect profile
CVE-2026-41324
7.5
FTPMultiple Products
basic-ftp is an FTP client for Node
CVSS Base7.5
β
CRSSelect profile
CVE-2026-33524
7.5
UnknownMultiple Products
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead
CVSS Base7.5
β
CRSSelect profile
CVE-2026-33666
7.5
UnknownMultiple Products
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70994
7.3
Signalforgery after
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system
CVSS Base7.3
β
CRSSelect profile
CVE-2026-41342
7.3
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.3
β
CRSSelect profile
CVE-2026-41355
7.3
OpenShellMultiple Products
OpenShell before 2026
CVSS Base7.3
β
CRSSelect profile
CVE-2026-41269
7.1
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.1
β
CRSSelect profile
CVE-2026-41270
7.1
UnknownMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow