Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Friday's vulnerability disclosures include two maximum-severity CVSS 10.0 flaws in Linux Cyber Protect (CVE-2025-30411, CVE-2025-30412) alongside a critical Microsoft Semantic Kernel Python SDK vulnerability (CVE-2026-26030, CVSS 9.9). The day's 24 critical CVEs represent a 20% increase over Thursday, with 100 high-priority issues marking a 22% rise across both categories. WordPress plugins account for the largest share of critical disclosures, with at least six distinct plugin vulnerabilities scoring CVSS 9.8, while authorization bypass flaws affect Databank Accreditation Software. Among 20 actively exploited vulnerabilities, multiple Microsoft Windows and Office flaws are under active attack alongside legacy issues in GitLab, Zimbra, and Sangoma FreePBX dating back several years. No patches are currently available for the disclosed vulnerabilities, requiring organizations to prioritize compensating controls and monitoring.
Two CVSS 10.0 vulnerabilities in Linux Cyber Protect (CVE-2025-30411, CVE-2025-30412) represent the highest-severity disclosures of the day
24 critical CVEs disclosed, up 20% from Thursday's 20, with WordPress plugin flaws comprising the largest category
100 high-priority CVEs (CVSS 7.0-8.9), a 22% increase over the prior day's 82
Microsoft Windows and Office account for six actively exploited vulnerabilities, with additional active exploitation targeting Dell RP4VMs, Apple OS, and Google Chromium
Patch availability stands at 0% across all 124 disclosed CVEs, necessitating compensating controls
20 vulnerabilities confirmed under active exploitation, including legacy flaws in GitLab, Zimbra, and FreePBX spanning 2008-2025
Immediate action: Prioritize compensating controls for Linux Cyber Protect, Microsoft Windows and Office, and WordPress plugin deployments, as no patches are currently available for any of the 124 disclosed vulnerabilities. Monitor vendor advisories closely for patch releases on the two CVSS 10.0 Cyber Protect flaws and the six actively exploited Microsoft vulnerabilities, and consider temporarily restricting exposure of affected services where feasible.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-22769
9.5đ
DellRecoverPoint for Virtual Machines (RP4VMs)
â° Federal Deadline:February 20, 2026(1 days remaining)
Dell RecoverPoint for Virtual Machines contains hardcoded credentials that allow unauthenticated remote attackers to gain root-level access and establish persistence.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-39935
9.5đ Late Disclosure
GitLabCommunity and Enterprise Editions
â° Federal Deadline:February 23, 2026(4 days remaining)
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-64328
9.5
SangomaFreePBX
â° Federal Deadline:February 23, 2026(4 days remaining)
Sangoma FreePBX OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2019-19006
9.5đ Late Disclosure
SangomaFreePBX
â° Federal Deadline:February 23, 2026(4 days remaining)
Sangoma FreePBX Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-11953
9.5đ
React Native CommunityCLI
â° Federal Deadline:February 25, 2026(6 days remaining)
React Native Community CLI OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-24423
9.5
SmarterToolsSmarterMail
â° Federal Deadline:February 25, 2026(6 days remaining)
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21513
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(11 days remaining)
A protection mechanism failure in the MSHTML Framework allows an unauthenticated attacker to bypass security features over a network, potentially leading to unauthorized system access.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21525
9.5
MicrosoftWindows
â° Federal Deadline:March 2, 2026(11 days remaining)
Microsoft Windows NULL Pointer Dereference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21510
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(11 days remaining)
A protection mechanism failure in the Windows Shell allows an unauthenticated attacker to bypass security features over a network connection.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21533
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(11 days remaining)
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate their privileges locally on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21519
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(11 days remaining)
A type confusion vulnerability in the Desktop Window Manager (DWM) allows an authorized local attacker to elevate their privileges to a higher level.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21514
9.5đ
MicrosoftOffice
â° Federal Deadline:March 2, 2026(11 days remaining)
A security feature bypass vulnerability in Microsoft Office Word exists due to reliance on untrusted inputs, allowing an unauthorized local attacker to circumvent security protections.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-20700
9.5đ
AppleApple OS
â° Federal Deadline:March 4, 2026(13 days remaining)
A memory corruption vulnerability in Apple software was addressed through improved state management to prevent potential exploitation.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-43468
9.5đ Late Disclosure
MicrosoftConfiguration Manager
â° Federal Deadline:March 4, 2026(13 days remaining)
Microsoft Configuration Manager SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-15556
9.5
Notepad++Notepad++
â° Federal Deadline:March 4, 2026(13 days remaining)
Notepad++ Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2020-7796
9.5đ Late Disclosure
SynacorZimbra Collaboration Suite
â° Federal Deadline:March 9, 2026(18 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-7694
9.5đ Late Disclosure
TeamT5ThreatSonar Anti-Ransomware
â° Federal Deadline:March 9, 2026(18 days remaining)
TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2008-0015
9.5đ Late Disclosure
MicrosoftWindows
â° Federal Deadline:March 9, 2026(18 days remaining)
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-2441
9.5đ
GoogleChromium
â° Federal Deadline:March 9, 2026(18 days remaining)
Google Chrome is vulnerable to a "Use After Free" condition in its CSS engine, which could allow a remote attacker to execute arbitrary code via a crafted webpage.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-22175
9.5đ Late Disclosure
GitLabGitLab
â° Federal Deadline:March 10, 2026(19 days remaining)
GitLab Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-0926
9.8đ
WordPressis vulnerable
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion (LFI) via the 'template_name' parameter, enabling unauthenticated RCE.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-26030
9.9đ
MicrosoftSemantic Kernel Python SDK
A remote code execution vulnerability exists in Microsoftâs Semantic Kernel Python SDK due to improper filtering in the `InMemoryVectorStore` component. Attackers can execute arbitrary code.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-13851
9.8đ
WordPresssite
The Buyent Classified plugin for WordPress allows unauthenticated attackers to register as administrators due to a lack of role validation during REST API registration.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-1405
9.8đ
WordPressis vulnerable
The Slider Future plugin for WordPress allows unauthenticated arbitrary file uploads, which can be leveraged to achieve remote code execution on the server.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-12882
9.8đ
WordPressis vulnerable
The Clasifico Listing plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated users to register themselves with the 'administrator' role.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-13563
9.8đ
WordPressis vulnerable
The Lizza LMS Pro plugin for WordPress is vulnerable to privilege escalation, enabling unauthenticated attackers to register as administrators and take over the site.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-1994
9.8đ
WordPressis vulnerable
The s2Member plugin for WordPress allows unauthenticated privilege escalation via account takeover due to insufficient identity validation during password updates in versions up to 260127.
Databank Accreditation Software is vulnerable to SQL Injection via an authorization bypass in user-controlled primary keys, affecting all versions through Feb 19, 2026.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-30411
10đ
LinuxCyber Protect
Acronis Cyber Protect (Linux and Windows) is vulnerable to sensitive data disclosure and manipulation due to improper authentication in versions 15 and 16.
CVSS Base10
â
CRSSelect profile
CVE-2025-30412
10đ
LinuxCyber Protect
Acronis Cyber Protect (Linux and Windows) suffers from an improper authentication vulnerability allowing sensitive data disclosure and manipulation in versions 15 and 16.
CVSS Base10
â
CRSSelect profile
CVE-2025-30416
10đ
LinuxCyber Protect
Acronis Cyber Protect (Linux and Windows) is vulnerable to sensitive data disclosure and manipulation due to missing authorization in versions 15 and 16.
CVSS Base10
â
CRSSelect profile
CVE-2025-30410
9.8
LinuxMultiple Products
Sensitive data disclosure and manipulation due to missing authentication. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 39870, Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 41800.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-26980
9.4đ
Ghost FoundationGhost CMS
Ghost CMS is vulnerable to unauthenticated arbitrary database reads, allowing attackers to extract sensitive information directly from the underlying database.
CVSS Base9.4
â
CRSSelect profile
CVE-2025-12107
10
InforMultiple Products
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.
Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.
CVSS Base10
â
CRSSelect profile
CVE-2025-71243
9.8đ
SPIPSaisies pour formulaire (Saisies) plugin
The 'Saisies' plugin for SPIP contains a critical Remote Code Execution (RCE) vulnerability that allows attackers to run arbitrary code on the host server.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-26339
9.8
Hyland AlfrescoMultiple Products
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-13590
9.1đ
UnknownSystem REST API
A critical flaw in a system REST API allows an authenticated administrator to upload arbitrary files to user-controlled locations, leading to remote code execution.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-2686
9.8đ
SECCNDingcheng G10
A command injection vulnerability in the SECCN Dingcheng G10 login script allows unauthenticated remote attackers to execute OS commands via the User argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-25242
9.8đ
GogsGogs Git Service
Gogs Git service exposes unauthenticated file upload endpoints by default, allowing remote users to upload arbitrary files and potentially exhaust disk space or host malware.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-27476
9.8
its remoteMultiple Products
RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-23542
9.8
ThemeGoods GrandMultiple Products
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-23549
9.8
magepeopleteam WpEventlyMultiple Products
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.1.1.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-8350
9.8
Inrove SoftwareMultiple Products
Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting.This issue affects BiEticaret CMS: from 2.1.13 through 19022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-24834
9.3
KataMultiple Products
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesnât impact the security of the Host or of other containers / VMs running on that Host (note that arm64 QEMU lacks NVDIMM read-only support: It is believed that until the upstream QEMU gains this capability, a guest write could reach the image file). Version 3.27.0 patches the issue.
CVSS Base9.3
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-27052
7.5
WordPresssctv
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2026-1426
8.8
WordPressis vulnerable
The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-26990
8.8
ArchMultiple Products
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2648
8.8
GoogleChrome prior
Heap buffer overflow in PDFium in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2650
8.8
GoogleChrome prior
Heap buffer overflow in Media in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2232
7.5
WordPressis vulnerable
The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4
CVSS Base7.5
â
CRSSelect profile
CVE-2026-2649
8.8
GoogleChrome prior
Integer overflow in V8 in Google Chrome prior to 145
CVSS Base8.8
â
CRSSelect profile
CVE-2026-21535
8.2
MicrosoftTeams allows
Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network
CVSS Base8.2
â
CRSSelect profile
CVE-2025-12845
8.8
WordPressis vulnerable
The Tablesome Table â Contact Form DB â WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0
CVSS Base8.8
â
CRSSelect profile
CVE-2025-4521
8.8
WordPressis vulnerable
The IDonate â Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-0912
8.8
WordPressis vulnerable
The Toret Manager plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'trman_save_option' function and on the 'trman_save_option_items' in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-11754
7.5
WordPressis vulnerable
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4
CVSS Base7.5
â
CRSSelect profile
CVE-2025-12707
7.5
WordPressis vulnerable
The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3
CVSS Base7.5
â
CRSSelect profile
CVE-2026-1581
7.5
WordPressis vulnerable
The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-70064
8.8
HPMultiple Products
PHPGurukul Hospital Management System v4
CVSS Base8.8
â
CRSSelect profile
CVE-2025-12821
8.8
WordPressis vulnerable
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13603
8.8
WordPressis vulnerable
The WP AUDIO GALLERY plugin for WordPress is vulnerable to Unauthorized Arbitrary File Read in all versions up to, and including, 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-0974
8.8
WordPressRestaurant Online
The Orderable â WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25755
8.1
UnknownMultiple Products
jsPDF is a library to generate PDFs in JavaScript
CVSS Base8.1
â
CRSSelect profile
CVE-2026-25940
8.1
UnknownMultiple Products
jsPDF is a library to generate PDFs in JavaScript
CVSS Base8.1
â
CRSSelect profile
CVE-2025-70151
8.8
HPand upload
code-projects Scholars Tracking System 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-26358
8.8
DellUnisphere for
Dell Unisphere for PowerMax, version(s) 10
CVSS Base8.8
â
CRSSelect profile
CVE-2026-26359
8.8
DellUnisphere for
Dell Unisphere for PowerMax, version(s) 10
CVSS Base8.8
â
CRSSelect profile
CVE-2026-26959
7.8
ArchMultiple Products
ADB Explorer is a fluent UI for ADB on Windows
CVSS Base7.8
â
CRSSelect profile
CVE-2019-25349
7.5đ Late Disclosure
forMultiple Products
ScadaApp for iOS 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26360
8.1
DellUnisphere for
Dell Unisphere for PowerMax, version(s) 10
CVSS Base8.1
â
CRSSelect profile
CVE-2026-26362
8.1
DellUnisphere for
Dell Unisphere for PowerMax, version(s) 10
CVSS Base8.1
â
CRSSelect profile
CVE-2026-22267
8.1
DellPowerProtect Data
Dell PowerProtect Data Manager, version(s) prior to 19
CVSS Base8.1
â
CRSSelect profile
CVE-2026-26200
7.8
F5is software
HDF5 is software for managing data
CVSS Base7.8
â
CRSSelect profile
CVE-2025-70147
7.5
HPand
Missing authentication in /admin/student
CVSS Base7.5
â
CRSSelect profile
CVE-2025-70148
7.5
HPin CodeAstro
Missing authentication and authorization in print_membership_card
CVSS Base7.5
â
CRSSelect profile
CVE-2025-33245
8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution
CVSS Base8
â
CRSSelect profile
CVE-2026-25232
8.8
HPMultiple Products
Gogs is an open source self-hosted Git service
CVSS Base8.8
â
CRSSelect profile
CVE-2025-33241
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by loading a maliciously crafted file
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33243
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution in distributed environments
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33250
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33251
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33252
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33253
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-27099
8
JenkinsMultiple Products
Jenkins 2
CVSS Base8
â
CRSSelect profile
CVE-2026-22860
7.5
webMultiple Products
Rack is a modular Ruby web server interface
CVSS Base7.5
â
CRSSelect profile
CVE-2026-2689
7.3
HPMultiple Products
A vulnerability was detected in itsourcecode Event Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-2690
7.3
HPMultiple Products
A flaw has been found in itsourcecode Event Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-2691
7.3
HPMultiple Products
A vulnerability has been found in itsourcecode Event Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-27182
8.4
MouseMultiple Products
Saturn Remote Mouse Server contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending specially crafted UDP JSON frames to port 27000
CVSS Base8.4
â
CRSSelect profile
CVE-2025-33236
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33239
7.8
NVIDIAMegatron Bridge
NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code injection
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33240
7.8
NVIDIAMegatron Bridge
NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code injection
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33246
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter
CVSS Base7.8
â
CRSSelect profile
CVE-2025-33249
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework for all platforms contains a vulnerability in a voice-preprocessing script, where malicious input created by an attacker could cause a code injection
CVSS Base7.8
â
CRSSelect profile
CVE-2025-4960
7.8
AWSin its
The com
CVSS Base7.8
â
CRSSelect profile
CVE-2026-26050
7.8
Archpath
The installer for ã¸ã§ããã°éč¨/åæãŊãããĻã§ãĸ RICOHã¸ã§ããã°éč¨ããŧãĢ versions prior to Ver
CVSS Base7.8
â
CRSSelect profile
CVE-2025-1272
7.7
startingKernel lockdown
The Linux Kernel lockdown mode for kernel versions starting on 6
CVSS Base7.7
â
CRSSelect profile
CVE-2026-25474
7.5
Telegramwebhook mode
OpenClaw is a personal AI assistant
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26275
7.5
SUSEof Rust
httpsig-hyper is a hyper extension for http message signatures
CVSS Base7.5
â
CRSSelect profile
CVE-2026-23544
8.8
codetipi ValentiMultiple Products
Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25926
7.3
ArchPath vulnerability
Notepad++ is a free and open-source source code editor
CVSS Base7.3
â
CRSSelect profile
CVE-2026-27179
8.2
commandsMultiple Products
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module
CVSS Base8.2
â
CRSSelect profile
CVE-2026-25378
7.6
Nelio Software NelioMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Blind SQL Injection
CVSS Base7.6
â
CRSSelect profile
CVE-2026-25418
7.6
bitpressadmin BitMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bitpressadmin Bit Form bit-form allows SQL Injection
CVSS Base7.6
â
CRSSelect profile
CVE-2019-25351
8.8đ Late Disclosure
CentovaMultiple Products
Centova Cast 3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-26318
8.8
InforMultiple Products
systeminformation is a System and OS information library for node
CVSS Base8.8
â
CRSSelect profile
CVE-2026-26975
8.8
libraryMultiple Products
Music Assistant is an open-source media library manager that integrates streaming services with connected speakers
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25357
8.4đ Late Disclosure
CenterMultiple Products
Control Center PRO 6
CVSS Base8.4
â
CRSSelect profile
CVE-2026-26280
8.4
InforMultiple Products
systeminformation is a System and OS information library for node
CVSS Base8.4
â
CRSSelect profile
CVE-2026-24708
8.2
NovaMultiple Products
An issue was discovered in OpenStack Nova before 30
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25359
8.2đ Late Disclosure
InforMultiple Products
SD
CVSS Base8.2
â
CRSSelect profile
CVE-2026-26337
8.2
andMultiple Products
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal
CVSS Base8.2
â
CRSSelect profile
CVE-2026-27475
8.1
SPIPMultiple Products
SPIP before 4
CVSS Base8.1
â
CRSSelect profile
CVE-2025-60035
7.8
UnknownMultiple Products
A vulnerability has been identified in the OPC
CVSS Base7.8
â
CRSSelect profile
CVE-2025-60036
7.8
UnknownMultiple Products
A vulnerability has been identified in the UA
CVSS Base7.8
â
CRSSelect profile
CVE-2025-60037
7.8
UnknownMultiple Products
A vulnerability has been identified in Rexroth IndraWorks
CVSS Base7.8
â
CRSSelect profile
CVE-2025-60038
7.8
UnknownMultiple Products
A vulnerability has been identified in Rexroth IndraWorks
CVSS Base7.8
â
CRSSelect profile
CVE-2025-61982
7.8
OpenCFDMultiple Products
An arbitrary code execution vulnerability exists in the Code Stream directive functionality of OpenCFD OpenFOAM 2506
CVSS Base7.8
â
CRSSelect profile
CVE-2026-0874
7.8
UnknownMultiple Products
A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2026-0875
7.8
UnknownMultiple Products
A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2026-27013
7.6
UnknownMultiple Products
Fabric
CVSS Base7.6
â
CRSSelect profile
CVE-2026-26322
7.6
UnknownMultiple Products
OpenClaw is a personal AI assistant
CVSS Base7.6
â
CRSSelect profile
CVE-2026-2507
7.5
WhenMultiple Products
When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25350
7.5đ Late Disclosure
XMediaMultiple Products
XMedia Recode 3
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25352
7.5đ Late Disclosure
HTTPMultiple Products
Crystal Live HTTP Server 6
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25353
7.5đ Late Disclosure
ManagementMultiple Products
Foscam Video Management System 1
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25354
7.5đ Late Disclosure
iSmartViewProMultiple Products
iSmartViewPro 1
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25355
7.5đ Late Disclosure
gSOAPMultiple Products
gSOAP 2
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25358
7.5đ Late Disclosure
FileOptimizerMultiple Products
FileOptimizer 14
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25363
7.5đ Late Disclosure
WMVMultiple Products
WMV to AVI MPEG DVD WMV Convertor 4
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25401
7.5đ Late Disclosure
adminMultiple Products
Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a denial of service vulnerability in the admin configuration page
CVSS Base7.5
â
CRSSelect profile
CVE-2026-27181
7.5
UnknownMultiple Products
MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26336
7.5
HylandMultiple Products
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26202
7.5
UnknownMultiple Products
Penpot is an open-source design tool for design and code collaboration
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26267
7.5
UnknownMultiple Products
soroban-sdk is a Rust SDK for Soroban contracts
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26278
7.5
UnknownMultiple Products
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26316
7.5
UnknownMultiple Products
OpenClaw is a personal AI assistant
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26319
7.5
UnknownMultiple Products
OpenClaw is a personal AI assistant
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26321
7.5
UnknownMultiple Products
OpenClaw is a personal AI assistant
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26324
7.5
UnknownMultiple Products
OpenClaw is a personal AI assistant
CVSS Base7.5
â
CRSSelect profile
CVE-2026-2668
7.3
UnknownMultiple Products
A vulnerability was found in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206
CVSS Base7.3
â
CRSSelect profile
CVE-2026-2684
7.3
ArchMultiple Products
A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9062
7.3
andMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd
CVSS Base7.3
â
CRSSelect profile
CVE-2026-26192
7.3
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline