Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Yesterday's CVE disclosures included 14 critical vulnerabilities (CVSS 9.0+), a 180% increase from the prior day's 5 critical issues. High-priority vulnerabilities (CVSS 7.0-8.9) totaled 73, representing a 204% increase from the previous 24. Eleven vulnerabilities are actively exploited, including CVE-2026-20045 affecting Cisco Unified Communications Manager, CVE-2025-68645 in Zimbra Collaboration Suite, and CVE-2024-37079 targeting VMware vCenter Server. Notable critical disclosures include CVE-2026-25142 (CVSS 10.0) in SandboxJS, CVE-2026-22778 (CVSS 9.8) affecting vLLM inference engine, and CVE-2026-21509 (CVSS 9.5) impacting Microsoft Office. Patch availability currently stands at 0%, requiring organizations to implement compensating controls while monitoring for vendor updates.
14 critical CVEs disclosed (180% increase from prior day's 5)
73 high-priority CVEs identified (204% increase from 24)
11 actively exploited vulnerabilities including Cisco, Zimbra, VMware, and Microsoft products
0% patch availability across disclosed vulnerabilities
Affected systems include enterprise communications (Cisco UCM), collaboration suites (Zimbra), virtualization platforms (VMware vCenter), and productivity software (Microsoft Office)
Immediate action: Organizations using Cisco Unified Communications Manager, Zimbra Collaboration Suite, VMware vCenter Server, and Microsoft Office should prioritize assessment and implement network segmentation or access restrictions as compensating controls. Monitor vendor security advisories for patch releases, as no fixes are currently available for yesterday's disclosures.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEV
CVE-2026-20045
9.5đ
CiscoUnified Communications Manager
â° Federal Deadline:February 10, 2026(8 days remaining)
Cisco Unified Communications Products Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-68645
9.5đ
Synacor Zimbra Collaboration Suite (ZCS)
â° Federal Deadline:February 11, 2026(9 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-34026
9.5
VersaConcerto
â° Federal Deadline:February 11, 2026(9 days remaining)
Versa Concerto Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-31125
9.5
ViteVitejs
â° Federal Deadline:February 11, 2026(9 days remaining)
Vite Vitejs Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54313
9.5
Prettiereslint-config-prettier
â° Federal Deadline:February 11, 2026(9 days remaining)
Prettier eslint-config-prettier Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-37079
9.5
BroadcomVMware vCenter Server
â° Federal Deadline:February 12, 2026(10 days remaining)
Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-14634
9.5
LinuxKernal
â° Federal Deadline:February 15, 2026(13 days remaining)
Linux Kernel Integer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-52691
9.5đ
SmarterToolsSmarterMail
â° Federal Deadline:February 15, 2026(13 days remaining)
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-23760
9.5
SmarterToolsSmarterMail
â° Federal Deadline:February 15, 2026(13 days remaining)
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-24061
9.5đ
GNUInetUtils
â° Federal Deadline:February 15, 2026(13 days remaining)
GNU InetUtils Argument Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-21509
9.5đ
MicrosoftOffice
â° Federal Deadline:February 15, 2026(13 days remaining)
Microsoft Office Security Feature Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-25142
10đ
SandboxJS is a JavaScript sandboxingMultiple Products
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
CVSS Base10
â
CRSSelect profile
CVE-2026-25202
9.8đ
The database account and password areMultiple Products
The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-15030
9.8đ
The User Profile Builder WordPress plugin beforeMultiple Products
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
CVSS Base9.8
â
CRSSelect profile
CVE-2026-25137
9.1đ
The NixOs Odoo package is an open source ERP and CRMMultiple Products
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
CVSS Base9.1
â
CRSSelect profile
CVE-2024-2356
9.6đ
A Local File InclusionMultiple Products
A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation.
CVSS Base9.6
â
CRSSelect profile
CVE-2024-5986
9.1đ
A vulnerability inMultiple Products
A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.
CVSS Base9.1
â
CRSSelect profile
CVE-2025-66480
9.8đ
Wildfire IM is an instant messaging andMultiple Products
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-22778
9.8đ
vLLM is an inference and serving engine for large language modelsMultiple Products
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
CVSS Base9.8
â
CRSSelect profile
CVE-2022-50981
9.8đ
An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is notMultiple Products
An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-24465
9.8đ
UnknownMultiple Products
Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access point devices. A crafted packet may lead to arbitrary code execution.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-23515
9.9đ
Signal K Server is a server application that runs on a central hub in aMultiple Products
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-25200
9.8đ
A vulnerability inMultiple Products
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover
This issue affects MagicINFO 9 Server: less than 21.1090.1.
CVSS Base9.8
â
CRSSelect profile
CVE-2024-5386
9.6đ
InMultiple Products
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.
CVSS Base9.6
â
CRSSelect profile
CVE-2026-24071
9.3đ
It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its codeMultiple Products
It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks. The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks.
CVSS Base9.3
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2024-54263
7.5đ
Talemy SpiritMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2026-1730
8.8đ
WordPressMultiple Products
The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47915
8.1đ
MelodyMultiple Products
PHP Melody version 3
CVSS Base8.1
â
CRSSelect profile
CVE-2026-24737
8.1đ
jsPDFMultiple Products
jsPDF is a library to generate PDFs in JavaScript
CVSS Base8.1
â
CRSSelect profile
CVE-2026-1375
8.1đ
WordPressMultiple Products
The Tutor LMS â eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3
CVSS Base8.1
â
CRSSelect profile
CVE-2020-37047
7.8đ
WindowsMultiple Products
Deep Instinct Windows Agent 1
CVSS Base7.8
â
CRSSelect profile
CVE-2026-0617
7.2đ
WordPressMultiple Products
The LatePoint â Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5
CVSS Base7.2
â
CRSSelect profile
CVE-2026-1065
7.2đ
WordPressMultiple Products
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15396
7.1đ
WordPressMultiple Products
The Library Viewer WordPress plugin before 3
CVSS Base7.1
â
CRSSelect profile
CVE-2026-1058
7.1đ
WordPressMultiple Products
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1
CVSS Base7.1
â
CRSSelect profile
CVE-2026-25201
8.8đ
unauthenticatedMultiple Products
An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server
CVSS Base8.8
â
CRSSelect profile
CVE-2022-50975
8.8đ
unauthenticatedMultiple Products
An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled
CVSS Base8.8
â
CRSSelect profile
CVE-2026-1777
7.2đ
AmazonMultiple Products
The Amazon SageMaker Python SDK before v3
CVSS Base7.2
â
CRSSelect profile
CVE-2025-47358
7.8đ
MemoryMultiple Products
Memory Corruption when user space address is modified and passed to mem_free API, causing kernel memory to be freed inadvertently
CVSS Base7.8
â
CRSSelect profile
CVE-2025-47359
7.8đ
MemoryMultiple Products
Memory Corruption when multiple threads simultaneously access a memory free API
CVSS Base7.8
â
CRSSelect profile
CVE-2025-8587
8.6
AKCE SoftwareMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc
CVSS Base8.6
â
CRSSelect profile
CVE-2022-50977
7.5
unauthenticatedMultiple Products
An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP
CVSS Base7.5
â
CRSSelect profile
CVE-2022-50978
7.5
unauthenticatedMultiple Products
An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP)
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20408
8
InMultiple Products
In wlan, there is a possible out of bounds write due to a heap buffer overflow
CVSS Base8
â
CRSSelect profile
CVE-2026-20411
7.8
InMultiple Products
In cameraisp, there is a possible escalation of privilege due to use after free
CVSS Base7.8
â
CRSSelect profile
CVE-2026-25253
8.8đ
OpenClawMultiple Products
OpenClaw (aka clawdbot or Moltbot) before 2026
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24788
8.8đ
priorMultiple Products
RaspAP raspap-webgui versions prior to 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9974
8.8
unifiedMultiple Products
The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution
CVSS Base8.8
â
CRSSelect profile
CVE-2026-20407
8.8
wlanMultiple Products
In wlan STA driver, there is a possible escalation of privilege due to a missing bounds check
CVSS Base8.8
â
CRSSelect profile
CVE-2026-20418
8.8
InMultiple Products
In Thread, there is a possible out of bounds write due to a missing bounds check
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24070
8.8
DuringMultiple Products
During the installation of the Native Access application, a privileged helper `com
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24763
8.8
OpenClawMultiple Products
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices
CVSS Base8.8
â
CRSSelect profile
CVE-2026-25059
8.8
OpenListMultiple Products
OpenList Frontend is a UI component for OpenList
CVSS Base8.8
â
CRSSelect profile
CVE-2026-1761
8.6
flawMultiple Products
A flaw was found in libsoup
CVSS Base8.6
â
CRSSelect profile
CVE-2026-1117
8.2đ
A vulnerability in theMultiple Products
A vulnerability in the `lollms_generation_events
CVSS Base8.2
â
CRSSelect profile
CVE-2021-47909
8.1đ
CartMultiple Products
Mult-E-Cart Ultimate 2
CVSS Base8.1
â
CRSSelect profile
CVE-2021-47918
8.1đ
SimpleMultiple Products
Simple CMS 2
CVSS Base8.1
â
CRSSelect profile
CVE-2026-1530
8.1đ
flawMultiple Products
A flaw was found in fog-kubevirt
CVSS Base8.1
â
CRSSelect profile
CVE-2026-1531
8.1đ
flawMultiple Products
A flaw was found in foreman_kubevirt
CVSS Base8.1
â
CRSSelect profile
CVE-2026-25060
8.1
OpenListMultiple Products
OpenList Frontend is a UI component for OpenList
CVSS Base8.1
â
CRSSelect profile
CVE-2026-23997
8
FacturaScriptsMultiple Products
FacturaScripts is open-source enterprise resource planning and accounting software
CVSS Base8
â
CRSSelect profile
CVE-2020-37037
7.8đ
AvastMultiple Products
Avast SecureLine 5
CVSS Base7.8
â
CRSSelect profile
CVE-2020-37045
7.8đ
VeritasMultiple Products
Veritas NetBackup 7
CVSS Base7.8
â
CRSSelect profile
CVE-2020-37048
7.8đ
FrameworkMultiple Products
Iskysoft Application Framework Service 2
CVSS Base7.8
â
CRSSelect profile
CVE-2020-37055
7.8đ
SpyHunterMultiple Products
SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges
CVSS Base7.8
â
CRSSelect profile
CVE-2020-37061
7.8đ
BOOTPMultiple Products
BOOTP Turbo 2
CVSS Base7.8
â
CRSSelect profile
CVE-2020-37062
7.8
DHCPMultiple Products
DHCP Turbo 4
CVSS Base7.8
â
CRSSelect profile
CVE-2020-37063
7.8
TFTPMultiple Products
TFTP Turbo 4
CVSS Base7.8
â
CRSSelect profile
CVE-2020-37064
7.8
NetworkMultiple Products
EPSON EasyMP Network Projection 2
CVSS Base7.8
â
CRSSelect profile
CVE-2026-20409
7.8
InMultiple Products
In imgsys, there is a possible out of bounds write due to a missing bounds check
CVSS Base7.8
â
CRSSelect profile
CVE-2026-20412
7.8
InMultiple Products
In cameraisp, there is a possible out of bounds write due to a missing bounds check
CVSS Base7.8
â
CRSSelect profile
CVE-2025-47397
7.8
MemoryMultiple Products
Memory Corruption when initiating GPU memory mapping using scatter-gather lists due to unchecked IOMMU mapping errors
CVSS Base7.8
â
CRSSelect profile
CVE-2025-47398
7.8
MemoryMultiple Products
Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers
CVSS Base7.8
â
CRSSelect profile
CVE-2025-47399
7.8
MemoryMultiple Products
Memory Corruption while processing IOCTL call to update sensor property settings with invalid input parameters
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24694
7.8
CloudMultiple Products
The installer for Roland Cloud Manager ver
CVSS Base7.8
â
CRSSelect profile
CVE-2022-50976
7.7
localMultiple Products
A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB
CVSS Base7.7
â
CRSSelect profile
CVE-2025-14914
7.6
IBMMultiple Products
IBM WebSphere Application Server Liberty 17
CVSS Base7.6
â
CRSSelect profile
CVE-2025-8589
7.6
AKCE SoftwareMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc
CVSS Base7.6
â
CRSSelect profile
CVE-2025-8456
7.6
ImproperMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd
CVSS Base7.6
â
CRSSelect profile
CVE-2025-8461
7.6
Seres Software syWEBMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS
CVSS Base7.6
â
CRSSelect profile
CVE-2026-20402
7.5
InMultiple Products
In Modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20403
7.5
InMultiple Products
In Modem, there is a possible system crash due to a missing bounds check
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20404
7.5
InMultiple Products
In Modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20405
7.5
InMultiple Products
In Modem, there is a possible system crash due to a missing bounds check
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20406
7.5
InMultiple Products
In Modem, there is a possible system crash due to an uncaught exception
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20419
7.5
wlanMultiple Products
In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20420
7.5
InMultiple Products
In Modem, there is a possible system crash due to incorrect error handling
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20421
7.5
InMultiple Products
In Modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2026-20422
7.5
InMultiple Products
In Modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2024-4147
7.5
lunaryMultiple Products
In lunary-ai/lunary version 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-0599
7.5
A vulnerability inMultiple Products
A vulnerability in huggingface/text-generation-inference version 3
CVSS Base7.5
â
CRSSelect profile
CVE-2025-8590
7.5
AKCE SoftwareMultiple Products
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc
CVSS Base7.5
â
CRSSelect profile
CVE-2026-1740
7.3
wasMultiple Products
A vulnerability was found in EFM ipTIME A8004T 14
CVSS Base7.3
â
CRSSelect profile
CVE-2026-22550
7.2
commandMultiple Products
OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B
CVSS Base7.2
â
CRSSelect profile
CVE-2025-47366
7.1
CryptographicMultiple Products
Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input
CVSS Base7.1
â
CRSSelect profile
CVE-2025-13096
7.1
IBMMultiple Products
IBM Business Automation Workflow containers V25
CVSS Base7.1
â
CRSSelect profile
CVE-2025-10279
7
mlflowMultiple Products
In mlflow version 2
CVSS Base7
â
CRSSelect profile
CVE-2026-24051
7
UnknownMultiple Products
OpenTelemetry-Go is the Go implementation of OpenTelemetry